Explanation:
http:// (B) is the correct answer. The Hypertext Transfer Protocol (HTTP) is unencrypted. Websites using http:// in the URL transmit all data, including credentials and sensitive information, in plaintext. To prohibit access to non-encrypted websites, an analyst should configure the web filter to block URLs that begin with http://. This would force users to use the encrypted version, HTTPS, which uses TLS/SSL to secure the connection.

Why the others are incorrect:

A) encryption=off:
This is not a standard part of a URL protocol or structure. A web filter scanning for this string would be ineffective, as it would almost never appear in a legitimate URL and is not an indicator of encryption status.

C) www.*.com:
This string is overly broad and would block virtually all websites, including encrypted ones (e.g., https://www.example.com). It does not distinguish between encrypted (HTTPS) and unencrypted (HTTP) traffic.

D) :443:
This is the default port number for HTTPS (encrypted) traffic. Blocking URLs containing :443 would actually prohibit access to encrypted websites, which is the opposite of the goal. While port 443 is used for HTTPS, it is not typically visible in the URL that a user enters or that a filter would scan (e.g., users go to https://example.com, not https://example.com:443).

Reference:
This question tests knowledge of Domain 3.1: Given a scenario, implement secure protocols. It requires understanding the fundamental difference between HTTP (unencrypted) and HTTPS (encrypted) and how they are represented in a URL. Web filters often use URL string matching as a basic method to enforce access policies, making this a practical scenario for security analysts.

Explanation:
The company is most likely using Federation and enforcing Password complexity.

Let's break down why these two are the correct choices based on the scenario:

C. Password Complexity:
The scenario explicitly states requirements for the password: "The password must include ten characters, numbers, and letters, and two special characters." This is a classic example of a password complexity policy. Its purpose is to safeguard the account by making the password difficult to guess or crack through brute-force attacks. It is a fundamental security control for protecting the initial authentication point.

A. Federation:
This is the core concept that explains how access is granted to other company-owned websites. Federation (often implemented with standards like SAML 2.0, OAuth, or OpenID Connect) allows for single sign-on (SSO) across multiple separate systems or domains.

Here's how it works in this scenario:
The user creates a strong password (enforced by complexity rules) for their primary intranet account. This account is managed by an Identity Provider (IdP).

When the user tries to access another company-owned website (a Service Provider (SP)), they are redirected to the trusted IdP (the intranet login).

The user authenticates to the IdP with their strong intranet password.

The IdP sends a secure, signed token back to the Service Provider, vouching for the user's identity and granting them access without requiring them to enter a separate password.

This creates a seamless user experience while maintaining security, as the sensitive password is only stored and used in one trusted place (the Identity Provider).

Why the other options are incorrect:

B. Identity Proofing:
This is the process of verifying that a person is who they claim to be during the initial identity establishment (e.g., before an account is first created). This might involve checking government IDs or answering knowledge-based questions. The scenario describes the onboarding process where the employee is already at the stage of creating a password, implying their identity has already been proofed and verified by the company. It is not the concept being used for ongoing access to websites.

D. Default Password Changes:
This is a security practice where a system-generated default password (often weak) must be changed by the user upon first login. The scenario does not mention a default password; it describes the employee creating a new password during onboarding that must meet specific complexity requirements.

E. Password Manager:
A password manager is a tool (software or hardware) that helps users generate, store, and autofill complex passwords. The company is not providing a tool; it is mandating the characteristics of the password itself. The employee could use a personal password manager to comply, but the company's action is enforcing complexity, not providing a manager.

F. Open Authentication (OAuth):
OAuth is a specific standard often used as part of a federated identity solution (it's the "how"). However, it is not the overarching concept itself. The question asks for the general "access management concept." Federation is the broader concept that encompasses technologies like OAuth. Furthermore, "Open Authentication" is not a standard term; the correct term is OAuth, which is an authorization framework, not a primary authentication method.

Reference:
This question combines two key concepts from the CompTIA Security+ SY0-701 objectives:

Domain 3.1: Compare and contrast identity and access management concepts. (Federation, SSO)

Domain 3.4: Given a scenario, implement authentication and authorization controls. (Password complexity)

Explanation:
Packet capture (A) is the correct answer. Packet capture (PCAP) data records the raw traffic flowing across a network. This data is extremely voluminous, consuming a massive amount of storage space relative to other data types. For a large global company, the cost of storing full-fidelity PCAP data for extended periods is prohibitively high. Therefore, to achieve significant cost savings in storage, the retention period for packet capture data should be reduced first. Often, only metadata (like NetFlow) is kept for long periods, while full PCAP is stored for a much shorter duration for immediate investigative needs.

Why the others are incorrect:

B) Endpoint logs & C) OS security logs:
While these logs can generate a large amount of data, they are typically several orders of magnitude smaller than full packet capture data. They are also structured and often highly compressed. These logs are crucial for forensic investigations (e.g., process execution, user logins, file access) and are generally considered a higher priority for retention than PCAP due to their investigative value per byte stored.

D) Vulnerability scan:
The results of a vulnerability scan are relatively small data sets—essentially reports listing vulnerabilities found on systems. These reports are critical for tracking risk over time and demonstrating due diligence. The storage cost for these reports is negligible compared to the constant, massive stream of data from packet captures.

Reference:
This question tests knowledge of Domain 4.5: Explain key aspects of digital forensics documentation and evidence handling, specifically Data Retention. It requires an understanding of the relative storage costs of different data sources used in security investigations. This is a practical concern for security operations centers (SOCs) where balancing investigative capability with storage costs is a constant challenge.

Explanation: A full inventory of all hardware and software is essential for measuring the overall risk to an organization when a new vulnerability is disclosed, because it allows the security analyst to identify which systems are affected by the vulnerability and prioritize the remediation efforts. Without a full inventory, the security analyst may miss some vulnerable systems or waste time and resources on irrelevant ones. Documentation of system classifications, a list of system owners and their departments, and third-party risk assessment documentation are all useful for risk management, but they are not sufficient to measure the impact of a new vulnerability.

Explanation:
An insider threat is a security risk that originates from within the targeted organization. This can be a current or former employee, contractor, or business partner who has inside information concerning the organization's security practices, data, and computer systems. The scenario describes a user (an insider) who:

Logged in remotely after hours (using legitimate access credentials but at an unusual time).

Copied large amounts of data to a personal device (an unauthorized action that indicates data exfiltration).

This behavior is a classic indicator of malicious insider activity, whether it's for intellectual property theft, espionage, or other malicious purposes.

Why not A?
Penetration testing: This is an authorized, simulated cyberattack conducted by security professionals to evaluate the security of a system. It is done with explicit permission and knowledge of the organization, not covertly by a regular user.

Why not B?
Phishing campaign: This is a broad social engineering attack conducted by external threat actors to trick users into revealing sensitive information. It is not an activity performed by an internal user using their own credentials.

Why not C?
External audit: This is a formal review conducted by an independent third party to assess compliance, financial records, or security controls. It is a legitimate, authorized activity that would not involve copying data to a personal device without oversight.

Reference:
Domain 1.2: "Compare and contrast common threat actors and motivations." The SY0-701 objectives specifically categorize insider threats as a major type of threat actor. The description of unauthorized data access and exfiltration by a legitimate user is a key indicator of this threat.

Explanation:
An air-gapped network is physically isolated from unsecured networks, such as the public internet or other local networks. This makes common network-based attack vectors (like an unpatched OS exploited over the internet) irrelevant. The primary data loss path for such a secured environment is through physical media.

Removable devices (e.g., USB drives, external hard drives) are the most common threat because they provide a simple, direct method for:

Data Exfiltration:
A malicious insider or an attacker who gains physical access can copy sensitive data onto a device and walk it out.

Data Introduction:
The same device can be used to introduce malware into the air-gapped system (e.g., via the Stuxnet worm, which famously used USB drives to propagate).

Why not A?
A bastion host is a specially hardened computer designed to withstand attacks. It is typically exposed to the public internet and acts as a gateway to a more secure internal network. An air-gapped network, by definition, has no such gateway to the internet, making a bastion host an irrelevant data loss path.

Why not B?
Unsecured Bluetooth is a wireless attack vector. A properly implemented air-gapped network will have all wireless adapters (Wi-Fi, Bluetooth, etc.) physically disabled or removed to enforce the "air gap," making this an unlikely path.

Why not C?
An unpatched operating system (OS) is a major vulnerability, but it is typically exploited over a network connection. Since the air-gapped network has no connection to external networks, the risk of a remote exploit is virtually eliminated. The threat from an unpatched OS in an air-gapped system would be primarily from malware introduced via a physical vector, like a removable device.

Reference:
Domain 2.1: "Explain the importance of security concepts in an enterprise environment." The concept of air-gapping falls under network segmentation and isolation. The associated risks highlight the need for physical security controls (e.g., disabling USB ports) to mitigate the primary threat of removable media.

Explanation:
A cryptographic hash function is an algorithm specifically designed to verify the integrity of data. It takes an input (or 'message') and returns a fixed-size string of bytes, typically a digest that is unique to the unique input.

The process for verifying integrity is:

A sender calculates the hash of the original data.

The data and its hash are sent to the recipient.

The recipient independently calculates the hash of the received data.

The recipient compares their calculated hash with the hash that was sent.

If the two hashes match exactly, it proves the data was not modified in transit. Even the smallest change to the original data will produce a completely different hash value.

This property is fundamental to ensuring data has not been tampered with and is a core function of integrity verification.

Why the other options are incorrect:

B. Code check:
This is not a standard cryptographic term. It could refer to error-correcting codes in programming or data transmission, but it is not the precise algorithm used for cryptographic verification of integrity.

C. Encryption:
Encryption is an algorithm designed to provide confidentiality by transforming data into ciphertext to hide its content. While some encryption modes can also provide integrity, its primary purpose is not verification. It is possible to modify encrypted data in a way that is not detectable without an additional integrity mechanism. Hashing is the primary tool for pure verification.

D. Checksum:
A checksum is a value used to verify the integrity of a file or a data transfer. The key difference is that a checksum is designed to detect accidental errors (like those from network noise or disk faults), but it is not cryptographically secure. A malicious actor can easily modify the data and calculate a new valid checksum to match the altered data. A cryptographic hash function is designed to be computationally infeasible to reverse or to find two different inputs that produce the same output, making it suitable for detecting intentional, malicious modification.

Exam Objective Reference:
This question relates to Domain 2.0: Architecture and Design, specifically the concepts of cryptography and the core security service of integrity. It tests the understanding of the different purposes of hashing (integrity) versus encryption (confidentiality).

Explanation:
In the cloud shared responsibility model, the division of security duties depends on the service model (IaaS, PaaS, SaaS). The question specifies an IaaS (Infrastructure as a Service) model.

IaaS Model:
The cloud provider is responsible for the security of the cloud. This includes the physical infrastructure, network connectivity, and the hypervisor that virtualizes the compute, storage, and networking resources.

The client (the company using the service) is responsible for security in the cloud. This includes securing:

The guest operating systems on their virtual machines

The applications installed on those VMs

The data, including the company's database and its configuration

Identity and Access Management (IAM) for their users

Since the database is an application installed and managed by the company on the virtual infrastructure provided by the cloud provider, securing it is the client's responsibility.

Why the other options are incorrect:

B. Third-party vendor (Incorrect):
A third-party vendor might provide the database software (e.g., Oracle, MongoDB), but the responsibility for securing the installation, configuration, patching, and access to that database instance falls on the client who owns and operates it in their IaaS environment.

C. Cloud provider (Incorrect):
The cloud provider's responsibility in IaaS ends at the virtualization layer. They ensure the underlying infrastructure is available and secure, but they have no access to or responsibility for the operating systems, applications, or data you deploy on that infrastructure.

D. DBA (Incorrect):
A Database Administrator (DBA) is a role within the client's organization. While the DBA would be the individual tasked by the client with implementing the technical controls to secure the database (e.g., configuring authentication, encryption, auditing), the ultimate responsibility belongs to the client organization itself, as defined in the contract with the cloud provider.

Reference:
This question falls under Domain 2.0: Threats, Vulnerabilities, and Mitigations and Domain 3.0: Security Architecture, specifically testing knowledge of cloud service models (IaaS, PaaS, SaaS) and the shared responsibility matrix. Understanding what security tasks are the client's duty in each model is a critical objective for the SY0-701 exam.

Explanation: SSO stands for single sign-on, which is a method of authentication that allows users to access multiple applications or services with one set of credentials. SSO reduces the number of credentials employees need to maintain and simplifies the login process. SSO can also improve security by reducing the risk of password reuse, phishing, and credential theft. SSO can be implemented using various protocols, such as SAML, OAuth, OpenID Connect, and Kerberos, that enable the exchange of authentication information between different domains or systems. SSO is commonly used for accessing SaaS applications, such as Office 365, Google Workspace, Salesforce, and others, using domain credentials123.
B. LEAP stands for Lightweight Extensible Authentication Protocol, which is a Cisco proprietary protocol that provides authentication for wireless networks. LEAP is not related to SaaS applications or domain credentials4.
C. MFA stands for multi-factor authentication, which is a method of authentication that requires users to provide two or more pieces of evidence to prove their identity. MFA can enhance security by adding an extra layer of protection beyond passwords, such as tokens, biometrics, or codes. MFA is not related to SaaS applications or domain credentials, but it can be used in conjunction with SSO.
D. PEAP stands for Protected Extensible Authentication Protocol, which is a protocol that provides secure authentication for wireless networks. PEAP uses TLS to create an encrypted tunnel between the client and the server, and then uses another authentication method, such as MS-CHAPv2 or EAP-GTC, to verify the user’s identity. PEAP is not related to SaaS applications or domain credentials.
References = 1: Security+ (SY0-701) Certification Study Guide | CompTIA IT Certifications 2: What is Single Sign-On (SSO)? - Definition from WhatIs.com 3: Single sign-on - Wikipedia 4: Lightweight Extensible Authentication Protocol - Wikipedia : What is Multi-Factor Authentication (MFA)? - Definition from WhatIs.com : Protected Extensible Authentication Protocol - Wikipedia

Explanation:

Why B is Correct:
Port security is a feature on network switches that directly mitigates MAC address table flooding attacks. In this type of attack, an attacker sends a large number of frames with spoofed source MAC addresses to overwhelm the switch's MAC address table, causing it to enter a "fail-open" state where it broadcasts traffic to all ports (like a hub), allowing the attacker to eavesdrop. Port security can be configured to:

Limit the number of MAC addresses allowed on a specific port.

Dynamically learn and sticky-MAC addresses to prevent spoofing.

Take action (e.g., shut down the port) if unauthorized MAC addresses are detected.

This prevents the switch's MAC address table from being flooded.

Why A is Incorrect:
A load balancer distributes network traffic across multiple servers to optimize resource use and ensure availability. It operates at higher layers (e.g., Layer 4 or 7) and is not designed to protect Layer 2 switch functionality like MAC address tables.

Why C is Incorrect:
An Intrusion Prevention System (IPS) monitors network traffic for malicious activity and can block attacks. While some IPS systems might have signatures for MAC flooding, they are not as effective or direct as port security, which is implemented on the switch itself where the attack occurs. Port security is a preventive control, while IPS is more reactive.

Why D is Incorrect:
A Next-Generation Firewall (NGFW) provides advanced network security by inspecting traffic at multiple layers and applying policies. However, it is typically deployed at the network perimeter or between segments and does not protect internal switches from Layer 2 attacks like MAC flooding.

Reference:
This question falls under Domain 2.0: Architecture and Design, specifically covering network security controls. Port security is a fundamental switch configuration best practice to prevent Layer 2 attacks, including MAC address table flooding, and is a key objective for the SY0-701 exam.

Explanation:
Ransomware-as-a-Service (RaaS) is a cybercrime business model where developers create ransomware and lease it to affiliates, who then carry out the attacks. The profits are shared between the developers and the affiliates.

D. Organized crime is correct.
This business model is a hallmark of cyber-organized crime. These groups operate like sophisticated businesses, with developers, distributors, and customer support, all focused on financial profit. Their structured, profit-driven approach aligns perfectly with the characteristics of organized crime.

A. Insider threat is incorrect.
An insider threat is a current or former employee, contractor, or business partner who has inside access and misuses it to harm the organization. While an insider might use ransomware, the RaaS model itself is operated and promoted by external criminal organizations, not typically by insiders.

B. Hacktivist is incorrect.
Hacktivists are motivated by ideology or social/political causes, not financial gain. Their goal is to raise awareness or disrupt services for their cause. They would not typically develop and sell a service for profit; their actions are meant to send a message.

C. Nation-state is incorrect.
Nation-state actors are sponsored by governments and are primarily motivated by espionage, intellectual property theft, or sabotage to achieve strategic goals. While they may use ransomware as a tool for disruption or to create plausible deniability, their primary motive is not financial profit. The RaaS model is fundamentally a for-profit criminal enterprise, not a nation-state intelligence operation.

Reference:
CompTIA Security+ SY0-701 Objective 1.5: "Explain different threat actor models and attributes." This objective requires understanding the motivations and characteristics of different threat actors. Organized crime is explicitly defined by its financial motivation and increasingly sophisticated, business-like operations, such as Ransomware-as-a-Service (RaaS).

Explanation: Software as a Service (SaaS) is the cloud model that best meets the goal of outsourcing the management, including patching, of firmware, operating systems, and applications to the cloud vendor. In a SaaS environment, the cloud provider is responsible for maintaining and updating the entire software stack, allowing the organization to focus on using the software rather than managing its infrastructure.