Explanation:
File Integrity Monitoring (FIM) is a security control that continuously checks and alerts on unauthorized changes (modifications, deletions, or additions) to critical files, configurations, and directories. By implementing FIM on the server containing customers' PII (Personally Identifiable Information), the bank can ensure that any unauthorized modification to this sensitive data is immediately detected and investigated. This directly addresses the requirement to ensure data is not modified improperly.

Why the others are incorrect:

A) Full disk encryption:
This protects data at rest from unauthorized access if the physical disk is stolen or lost by encrypting the entire storage volume. However, it does not prevent modifications to files by authorized users or malware that has gained access to the system while it is running.

B) Network access control:
NAC regulates which devices are allowed to connect to a network based on security policies. It focuses on network access but does not monitor or protect against modifications to files on a server once access is granted.

D) User behavior analytics:
UBA analyzes user activities to detect anomalous behavior that might indicate insider threats or compromised accounts. While it can indirectly signal potential risks, it does not specifically monitor or prevent file modifications like FIM does.

Reference:
This aligns with SY0-701 Objective 3.2 ("Given a scenario, implement host or application security solutions") and data protection principles. FIM is a critical control for compliance with standards like PCI DSS, which requires monitoring changes to critical files to ensure data integrity. Tools like Tripwire or AWS GuardDuty (for cloud) are examples of FIM solutions.

Explanation:
Push notifications for Multi-Factor Authentication (MFA) best meet all the stated requirements:

Seamless & Integrates into Workflow:
A push notification is sent automatically to an app on the user's device (e.g., Microsoft Authenticator, Duo). The user simply reviews the login details and taps "Approve" or "Deny." This requires minimal effort and integrates smoothly into a modern digital workflow without interrupting it.

Utilize Employee-Owned Devices (BYOD):
Push notification MFA relies on a software app installed on a smartphone. This is ideal for a Bring Your Own Device (BYOD) model, as employees can easily install the required app on their personal phones without the company needing to provision hardware.

Why not B?
Phone call: While a phone call can use an employee-owned device, it is not seamless. It requires the user to answer the call and often press a specific number on the keypad. This is more disruptive and time-consuming than a simple push notification approval.

Why not C?
Smart card: A smart card is a physical hardware token that must be issued by the company. This does not utilize employee-owned devices and requires the company to manage the procurement, distribution, and lifecycle of the cards. It is also less seamless, as it requires a reader and the physical action of inserting the card.

Why not D?
Offline backup codes: These are one-time-use codes provided to users as a backup method if their primary MFA is unavailable. They are not a primary authentication method and are neither seamless nor integrated into a workflow. They are a manual, fallback option.

Reference:
Domain 1.4: "Given a scenario, analyze indicators of malicious activity." While this domain covers broader topics, understanding MFA methods is a core part of identity and access management, which is foundational to security. Push notifications are a recommended, user-friendly MFA method in modern security frameworks like NIST's guidelines on digital identity.

Explanation:
Zero Trust is a security model that aligns perfectly with all three requirements:

Provide a secure zone:
Zero Trust architecture creates micro-segments and secure enclaves within the network. Instead of a single "trusted" internal network, it establishes multiple "secure zones" where access is strictly controlled.

Enforce a company-wide access control policy:
A core principle of Zero Trust is "never trust, always verify." It mandates strict identity verification and least-privilege access controls for every user and device, regardless of whether they are inside or outside the corporate network. This is a universal (company-wide) policy.

Reduce the scope of threats:
By segmenting the network (creating secure zones) and enforcing granular access controls, Zero Trust contains potential breaches. If a threat actor compromises one system, their ability to move laterally to other systems (the "scope" of the threat) is severely limited.

Why not B?
AAA (Authentication, Authorization, and Accounting) is a framework for access control. While it is a critical component used within a Zero Trust model to "enforce access control policy," it is not the overarching framework that also provides "secure zones" and "reduces threat scope" through segmentation.

Why not C?
Non-repudiation is a legal concept that ensures a party cannot deny the authenticity of their signature on a document or a message they sent. It is achieved through techniques like digital signatures. It does not relate to creating secure zones or reducing threat scope.

Why not D?
CIA Triad (Confidentiality, Integrity, Availability) is the fundamental model of information security. It describes security goals (what to protect) but is not a specific architecture or solution that an administrator would "set up" to meet these technical requirements.

Reference:
Domain 2.1: "Explain the importance of security concepts in an enterprise environment." The SY0-701 objectives specifically list Zero Trust as a key security concept, describing it as a model that eliminates implicit trust and continuously validates every stage of digital interaction. The requirements in the question are a direct match for the goals and implementation of a Zero Trust architecture.

Explanation:
The vulnerability scan reported a high-severity issue because Telnet (port 23) is an insecure protocol that transmits data (including credentials) in cleartext, making it susceptible to eavesdropping.

However, the security analyst performed a follow-up test using an Nmap script (telnet-encryption) specifically designed to check if the Telnet service supports encryption. The result (Telnet server supports encryption) indicates that this particular Telnet implementation uses encryption to protect the data in transit, mitigating the inherent risk of the protocol.

Therefore, the original vulnerability scan incorrectly flagged this as a high-severity issue because it did not detect the encryption support. This makes the report a false positive—a finding that is incorrectly identified as a vulnerability when it is not actually present or is mitigated.

Why the others are incorrect:

B. A rescan is required:
A rescan might be useful for verification, but the analyst already conducted a targeted test that provided conclusive evidence (encryption is supported). No further scanning is needed to confirm this specific issue.

C. It is considered noise:
"Noise" in scanning refers to irrelevant or low-priority findings that clutter reports. This was a high-severity finding that required investigation, not mere noise.

D. Compensating controls exist:
Compensating controls are alternative measures (e.g., network segmentation) that reduce risk. Here, the encryption is a direct feature of the service itself, not an external compensating control.

Reference:
This aligns with SY0-701 Objective 4.1 ("Given a scenario, analyze indicators of malicious activity"). Vulnerability management includes validating scan results to eliminate false positives, as emphasized in best practices like NIST SP 800-115 ("Technical Guide to Information Security Testing and Assessment"). The use of tools like Nmap scripts for deeper verification is a key analyst skill.

Explanation: Analysis is the incident response activity that describes the process of understanding the source of an incident. Analysis involves collecting and examining evidence, identifying the root cause, determining the scope and impact, and assessing the threat actor’s motives and capabilities. Analysis helps the incident response team to formulate an appropriate response strategy, as well as to prevent or mitigate future incidents. Analysis is usually performed after detection and before containment, eradication, recovery, and lessons learned.
References = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 6, page 223. CompTIA Security+ SY0-701 Exam Objectives, Domain 4.2, page 13.

Explanation:
The Annualized Loss Expectancy (ALE) is the most useful metric for comparing the long-term cost of risk transfer (e.g., purchasing insurance) against the impact of the risk itself. The ALE represents the expected monetary loss per year due to a specific risk. It is calculated as:

ALE = Single Loss Expectancy (SLE) × Annualized Rate of Occurrence (ARO)

SLE is the cost of a single occurrence of the risk (e.g., $10,000 per incident).

ARO is the estimated number of times the risk is expected to occur in a year (e.g., 0.5 times per year).

If the annual cost of transferring the risk (e.g., insurance premium) is less than the ALE, it may be financially justified to transfer the risk. Conversely, if the transfer cost is higher than the ALE, it might be more cost-effective to accept or mitigate the risk.

Analysis of Incorrect Options:

A. ARO (Annualized Rate of Occurrence):
This represents how often a threat is expected to occur annually (e.g., twice a year). While it is a component of ALE, it does not account for the cost of the risk, so it alone cannot determine if transfer is cost-effective.

B. RTO (Recovery Time Objective):
This is the maximum acceptable downtime after a disaster before business operations must resume. It is a metric used in business continuity planning, not quantitative risk analysis for cost comparisons.

C. RPO (Recovery Point Objective):
This is the maximum acceptable amount of data loss measured in time (e.g., losing no more than 1 hour of data). Like RTO, it is used for disaster recovery planning and does not help calculate financial impacts for risk decisions.

E. SLE (Single Loss Expectancy):
This is the cost of a single occurrence of a risk (e.g., $50,000 per data breach). While it is part of the ALE calculation, it does not account for how often the risk occurs annually, so it cannot represent the long-term cost.

Reference:
This question falls under Domain 5.0: Security Program Management and Oversight, specifically quantitative risk analysis. ALE is a key formula used to prioritize risks and make cost-effective decisions about risk treatment (avoid, transfer, mitigate, accept). It is central to frameworks like NIST SP 800-30 (Risk Management Guide).

Explanation:
EDR (Endpoint Detection and Response) is a security solution that continuously monitors and collects endpoint data (e.g., workstations, servers), uses behavioral analysis to identify suspicious activities, and provides capabilities to investigate and respond to threats. It is specifically designed to detect and prevent the installation and execution of malware (like viruses and Trojans) and is highly effective at identifying and stopping lateral movement across a network by isolating compromised endpoints.

Why the others are incorrect:

A) IDS (Intrusion Detection System):
An IDS is a network-based (NIDS) or host-based (HIDS) monitoring system that detects and alerts on suspicious activity but typically lacks the integrated response capabilities to actively prevent the initial installation or stop lateral movement on its own.

B) ACL (Access Control List):
An ACL is a fundamental network security feature (on routers, switches, or firewalls) that filters traffic based on rules (e.g., allow/deny by IP address/port). While it can be used to segment a network and inhibit lateral movement, it is not specifically designed to protect an individual computer from malware installation. It operates at the network level, not the endpoint level.

D) NAC (Network Access Control):
NAC is a solution that enforces security policies on devices attempting to access the network. It checks for compliance (e.g., updated antivirus, OS patches) before granting access. Its primary role is to prevent initial network access by unauthorized or non-compliant devices, but it is not focused on continuous monitoring and response to threats after a device is already on the network, which is when lateral movement occurs.

Reference:
This aligns with SY0-701 Objective 3.2 ("Given a scenario, implement host or application security solutions") which specifically lists Endpoint Detection and Response (EDR) as a key security solution. EDR's role in containing threats and preventing lateral movement is a core concept in modern security architecture.

Explanation:
A Warm site is the best option in this scenario because it balances cost, recovery time, and administrative effort. It typically includes pre-configured infrastructure (like servers, network equipment, and power) but may not have live data or fully synchronized systems. This reduces the workload during recovery compared to a cold site (where everything must be set up from scratch) while still being more cost-effective than a hot site (which requires continuous maintenance and data synchronization). Since the business does not require immediate failover, the slightly longer recovery time of a warm site is acceptable.

Why the other options are incorrect:

A. Hot site:
A hot site is fully operational with real-time data replication, allowing for immediate failover. However, it is the most expensive option and requires significant ongoing maintenance (workload) to keep systems synchronized. This exceeds the business’s requirements.

B. Cold site:
A cold site is the least expensive but requires the most workload to recover. It is essentially a bare-bones facility with basic infrastructure (power, cooling), but all hardware, software, and data must be restored manually after an outage. This contradicts the goal of reducing recovery workload.

D. Geographically dispersed:
This refers to distributing resources across multiple locations to mitigate regional risks (e.g., natural disasters). It is a strategy that can be applied to any site type (hot, warm, cold) but does not define the recovery site’s readiness level. The business needs a specific site type (warm) that meets its cost and workload constraints.

Reference:
This question tests knowledge of disaster recovery site types and their trade-offs.

This falls under Domain 5.4: Explain the key aspects of business continuity and disaster recovery of the CompTIA Security+ SY0-701 exam objectives.

Warm sites are commonly recommended for organizations that need a balance between cost and recovery capabilities, as outlined in frameworks like NIST SP 800-34 (Contingency Planning Guide) and industry best practices. They offer a practical solution for businesses that can tolerate a short downtime without the high expense of a hot site.

Explanation:
This question requires matching the threat actor profile to the specific activity: being hired by a foreign government to attack critical systems in other countries.

C. Organized crime is correct.
Cyber-organized crime groups are highly sophisticated, well-funded, and operate for financial profit. They often act as cyber mercenaries or are contracted as APT (Advanced Persistent Threat) groups by nation-states. This practice is known as a "proxy" attack. The foreign government benefits from plausible deniability ("it wasn't us, it was a criminal group") while still achieving its strategic goals. Attacking critical systems requires significant skill and resources, which organized crime possesses.

A. Hacktivist is incorrect.
Hacktivists are motivated by ideology (social, political, or religious beliefs). They are not typically motivated by financial gain and are therefore less likely to be "hired." Their actions are usually aimed at raising awareness or causing disruption to a specific cause, not carrying out sophisticated attacks on behalf of a government.

B. Whistleblower is incorrect.
A whistleblower is an insider who exposes wrongdoing, illegal activities, or unethical practices within an organization to the public or authorities. Their goal is typically transparency and accountability, not conducting cyber attacks for a foreign government.

D. Unskilled attacker is incorrect.
Unskilled attackers (often called "script kiddies") lack the technical expertise to attack critical national infrastructure. They use pre-written scripts and tools to exploit well-known vulnerabilities. A foreign government would not hire an unskilled actor for a mission targeting critical systems due to the high likelihood of failure and detection.

Reference:
CompTIA Security+ SY0-701 Objective 1.5: "Explain different threat actor models and attributes." This objective requires understanding the motivations, attributes, and targets of different threat actors, including organized crime groups and their role in targeted attacks, often on behalf of nation-states.

Explanation:

Why A is Correct:
Port security is a feature on network switches that restricts which devices can connect to a physical network port. It can be configured to:

Allow only specific MAC addresses to use a port (sticky learning or static entries).

Limit the number of MAC addresses on a port (to prevent hubs/switches from being connected).

Take action (e.g., shut down the port, drop traffic) if an unauthorized device connects.

In this scenario, configuring port security on the switch port connected to the lobby jack would prevent unauthorized devices (like the visitor's laptop) from gaining access to the network, as its MAC address would not be allowed.

Why B is Incorrect:
A web application firewall (WAF) is designed to protect web applications by filtering and monitoring HTTP traffic. It is not used to control physical access to network ports or prevent unauthorized devices from connecting at the network layer.

Why C is Incorrect:
Transport Layer Security (TLS) is a protocol for encrypting data in transit. It protects the confidentiality of communications but does nothing to prevent an unauthorized device from physically connecting to a network jack and accessing the network.

Why D is Incorrect:
A virtual private network (VPN) is used to provide secure remote access over the internet. It is irrelevant to preventing a physical device from connecting to an internal network jack. In fact, if a visitor plugs into the network, they are already on the internal network and would not need a VPN.

Reference:
This question falls under Domain 2.0: Architecture and Design, specifically covering network security controls. Port security is a fundamental switch configuration best practice to prevent unauthorized access via physical network jacks, aligning with the principle of controlling physical network access.

Explanation: When calculating risk ratings, the concepts of impact and likelihood are most likely to be considered. Risk assessment typically involves evaluating the potential impact of a threat (how severe the consequences would be if the threat materialized) and the likelihood of the threat occurring (how probable it is that the threat will occur). Impact: Measures the severity of the consequences if a particular threat exploits a vulnerability. It considers factors such as financial loss, reputational damage, and operational disruption. Likelihood: Measures the probability of a threat exploiting a vulnerability. This can be based on historical data, current threat landscape, and expert judgment. Reference: CompTIA Security+ SY0-701 Exam Objectives, Domain 5.2 - Risk management process (Risk assessment: impact and likelihood).

Explanation:
The correct answer is A. OCSP (Online Certificate Status Protocol).

When a user's browser or application is presented with a digital certificate (e.g., when visiting an HTTPS website), it needs to verify two main things:

That the certificate was issued by a trusted Certificate Authority (CA) and is valid (not expired, with a proper signature chain).

That the certificate has not been revoked by the CA before its expiration date.

OCSP (Online Certificate Status Protocol) is a method used specifically for this second step: validating that a certificate is still valid and has not been revoked.

Instead of downloading a full list of all revoked certificates (a CRL), the client sends a query to an OCSP responder (hosted by the CA) with the certificate's serial number. The OCSP responder sends back a signed response stating whether the certificate is "good," "revoked," or "unknown."

This provides real-time (or near-real-time) validation of a certificate's status at the moment it is presented.

Why the other options are incorrect:

B. CSR (Certificate Signing Request):
A CSR is a file generated by an applicant who wants a certificate. It contains the public key and identifying information to be included in the certificate. The CA uses the CSR to create the actual certificate. A CSR is used to request a certificate, not to validate one that has been presented.

C. CA (Certificate Authority):
The CA is the trusted entity that issues the certificate. The user's system trusts the CA's root certificate, which allows it to validate the cryptographic signature on the presented certificate. However, the CA itself is not the mechanism used for the daily, real-time validation of revocation status. The CA provides the infrastructure for OCSP or CRLs to perform that specific function.

D. CRC (Cyclic Redundancy Check):
A CRC is an error-detecting code used in digital networks and storage devices to detect accidental changes to raw data (e.g., to check for file corruption). It has nothing to do with PKI or digital certificate validation. This is a distractor.

Reference:
This is a core concept of Public Key Infrastructure (PKI) and is covered in the CompTIA Security+ SY0-701 objectives under Domain 3.3: Given a scenario, implement secure protocols.

The two primary methods for checking certificate revocation are:

CRL (Certificate Revocation List): A periodically updated list of revoked certificates that clients can download and check.

OCSP (Online Certificate Status Protocol): A real-time request/response protocol for checking a certificate's status.