
初心者向けのSY0-701日本語試験 [2025] 問題集でCompTIAのPDF問題
SY0-701日本語プレミアム試験エンジンPDFをダウンロード
質問 # 68
脅威アクターはユーザー名とパスワードを使用して、盗まれた会社のモバイル デバイスにログインすることができました。次のどれが、すべての従業員の会社のモバイル デバイスのモバイル データのセキュリティを強化するための最適なソリューションですか?
- A. コンテナ化
- B. フルディスク暗号化
- C. リモートワイプ
- D. アプリケーション管理
正解:C
解説:
The question was not asking about the single phone that was stolen (in which case a remote wipe may work after the fact); rather, it asks for "the best solution to increase mobile data security on all employees' company mobile devices".
質問 # 69
ある企業は、天候によるサーバールームの損傷やダウンタイムを懸念しています。
企業が考慮すべき事項は次のうちどれでしょうか?
- A. ロードバランサー
- B. クラスタリングサーバー
- C. 地理的分散
- D. オフサイトバックアップ
正解:C
解説:
Geographic dispersion is a strategy that involves distributing the servers or data centers across different geographic locations. Geographic dispersion can help the company to mitigate the risk of weather events causing damage to the server room and downtime, as well as improve the availability, performance, and resilience of the network. Geographic dispersion can also enhance the disaster recovery and business continuity capabilities of the company, as it can provide backup and failover options in case of a regional outage or disruption. The other options are not the best ways to address the company's concern:
Clustering servers: This is a technique that involves grouping multiple servers together to act as a single system. Clustering servers can help to improve the performance, scalability, and fault tolerance of the network, but it does not protect the servers from physical damage or downtime caused by weather events, especially if the servers are located in the same room or building.
Load balancers: These are devices or software that distribute the network traffic or workload among multiple servers or resources. Load balancers can help to optimize the utilization, efficiency, and reliability of the network, but they do not prevent the servers from being damaged or disrupted by weather events, especially if the servers are located in the same room or building.
Off-site backups: These are copies of data or files that are stored in a different location than the original source. Off-site backups can help to protect the data from being lost or corrupted by weather events, but they do not prevent the servers from being damaged or disrupted by weather events, nor do they ensure the availability or continuity of the network services.
質問 # 70
承認されていないソフトウェアの導入によって企業ネットワークに脆弱性が生じる可能性が最も高いのは次のどれですか?
- A. スクリプトキディ
- B. ハクティビスト
- C. シャドーIT
- D. 競合他社
正解:C
解説:
Shadow IT refers to the use of information technology systems, devices, software, applications, and services without explicit IT department approval. This is the most likely cause of introducing vulnerabilities on a corporate network by deploying unapproved software, as such software may not have been vetted for security compliance, increasing the risk of vulnerabilities.
References =
* CompTIA Security+ SY0-701 Course Content: The concept of Shadow IT is discussed as a significant risk due to the introduction of unapproved and potentially vulnerable software into the corporate network.
質問 # 71
米国を拠点とするクラウド ホスティング プロバイダーは、データ センターを新しい海外の拠点に拡張したいと考えています。ホスティング プロバイダーが最初に検討すべき事項は次のうちどれですか。
- A. 既存の契約上の義務への影響
- B. 地域のデータ保護規制
- C. ログ相関におけるタイムゾーンの違い
- D. 他国に居住するハッカーによるリスク
正解:B
解説:
Local data protection regulations are the first thing that a cloud-hosting provider should consider before expanding its data centers to new international locations. Data protection regulations are laws or standards that govern how personal or sensitive data is collected, stored, processed, and transferred across borders. Different countries or regions may have different data protection regulations, such as the General Data Protection Regulation (GDPR) in the European Union, the Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada, or the California Consumer Privacy Act (CCPA) in the United States. A cloud-hosting provider must comply with the local data protection regulations of the countries or regions where it operates or serves customers, or else it may face legal penalties, fines, or reputational damage. Therefore, a cloud-hosting provider should research and understand the local data protection regulations of the new international locations before expanding its data centers there.
質問 # 72
ある企業は災害復旧サイトを計画しており、単一の自然災害によって規制されたバックアップデータが完全に失われないようにする必要があります。
- A. ホットサイト
- B. プラットフォームの多様性
- C. 地理的分散
- D. 企業が考慮すべき事項は次のうちどれですか?
- E. 負荷分散
正解:D
質問 # 73
次のトピックのうち、組織の SDLC に含まれる可能性が高いのはどれですか?
- A. サービスレベル契約
- B. ブランチ保護要件
- C. 侵入テストの方法論
- D. 情報セキュリティポリシー
正解:B
解説:
Branch protection requirements are related to the version control and development process within the SDLC, ensuring that code changes are reviewed, tested, and approved before being merged into main branches. This helps maintain code quality and security throughout the development process.
Penetration testing is usually conducted as part of the testing phase or after deployment to identify vulnerabilities and security weaknesses. It is a separate process from the core stages of the SDLC but is an important aspect of ensuring the security and robustness of the application once development is completed.
質問 # 74
サーバーのセキュリティ設定が変更されたかどうかを毎日一貫して確認するための最良の方法はどれですか?
- A. 証明
- B. 手動監査
- C. 自動化
- D. コンプライアンス チェックリスト
正解:C
質問 # 75
経理担当者は、新しい口座を使用するようにという不正な指示を受け、攻撃者の銀行口座に送金しました。今後この行為を防ぐには、次のうちどれが最も効果的でしょうか。
- A. 内部脅威検出対策の実施
- B. セキュリティインシデント報告の標準化
- C. 定期的なフィッシングキャンペーンの実行
- D. 電信送金の送信プロセスの更新
正解:D
解説:
To prevent an accounting clerk from sending money to an attacker's bank account due to fraudulent instructions, the most effective measure would be updating the processes for sending wire transfers. This can include implementing verification steps, such as requiring multiple approvals for changes in payment instructions and directly confirming new account details with trusted sources.
Updating processes for sending wire transfers: Involves adding verification and approval steps to prevent fraudulent transfers.
Standardizing security incident reporting: Important for handling incidents but not specifically focused on preventing fraudulent wire transfers.
Executing regular phishing campaigns: Helps raise awareness but may not directly address the process vulnerability.
Implementing insider threat detection measures: Useful for detecting malicious activities but does not directly prevent fraudulent transfer instructions.
質問 # 76
パスワードを強化し、ハッカーによる解読を防ぐために、36 文字のランダムな文字列がパスワードに追加されました。この手法を最もよく表しているのはどれですか。
- A. キーストレッチ
- B. ソルティング
- C. トークン化
- D. データマスキング
正解:B
解説:
Adding a random string of characters, known as a "salt," to a password before hashing it is known as salting.
This technique strengthens passwords by ensuring that even if two users have the same password, their hashes will be different due to the unique salt, making it much harder for attackers to crack passwords using precomputed tables.References: CompTIA Security+ SY0-701 course content and official CompTIA study resources.
質問 # 77
ある中小企業では、販売フロアのキオスクを使用して顧客に製品情報を表示しています。セキュリティ チームは、キオスクでサポート終了のオペレーティング システムが使用されていることを発見しました。現在のアーキテクチャのセキュリティへの影響としてセキュリティ チームが文書化する可能性が高いのは次のどれですか。
- A. パッチの可用性
- B. 回復の容易さ
- C. 製品ソフトウェアの互換性
- D. 交換費用
正解:A
解説:
End-of-life operating systems are those that are no longer supported by the vendor or manufacturer, meaning they do not receive any security updates or patches. This makes them vulnerable to exploits and attacks that take advantage of known or unknown flaws in the software. Patch availability is the security implication of using end-of-life operating systems, as it affects the ability to fix or prevent security issues. Other factors, such as product software compatibility, ease of recovery, or cost of replacement, are not directly related to security, but rather to functionality, availability, or budget. Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 29 1
質問 # 78
数人の従業員が、最高経営責任者(CEO)を名乗る人物から詐欺のテキスト メッセージを受け取りました。メッセージには次のように書かれていました。
「私は今、空港にいて、メールにアクセスできません。従業員表彰賞用のギフト カードを購入していただく必要があります。ギフト カードを次のメール アドレスに送ってください。」この状況に対する最適な対応は次のうちどれですか。(2 つ選択してください)。
- A. 会社全体に電子メールによる警告を発行します。
- B. モバイル デバイス管理を実装します。
- C. 毎年の社内研修にスミッシング演習を追加します。
- D. 現在の従業員表彰ギフトカードをキャンセルします。
- E. CEO の電話のフォレンジック調査を実施します。
- F. CEO に電話番号を変更してもらいます。
正解:A、C
解説:
This situation is an example of smishing, which is a type of phishing that uses text messages (SMS) to entice individuals into providing personal or sensitive information to cybercriminals. The best responses to this situation are to add a smishing exercise to the annual company training and to issue a general email warning to the company. A smishing exercise can help raise awareness and educate employees on how to recognize and avoid smishing attacks. An email warning can alert employees to the fraudulent text message and remind them to verify the identity and legitimacy of any requests for information or money. References = What Is Phishing | Cybersecurity | CompTIA, Phishing - SY0-601 CompTIA Security+ : 1.1 - Professor Messer IT Certification Training Courses
質問 # 79
ある銀行は、すべてのベンダーが盗難されたラップトップのデータ損失を防止する必要があると主張しています。銀行が要求している戦略は次のどれですか。
- A. マスキング
- B. 保存時の暗号化
- C. データ分類
- D. 権限制限
正解:B
解説:
Encryption at rest is a strategy that protects data stored on a device, such as a laptop, by converting it into an unreadable format that can only be accessed with a decryption key or password. Encryption at rest can prevent data loss on stolen laptops by preventing unauthorized access to the data, even if the device is physically compromised. Encryption at rest can also help comply with data privacy regulations and standards that require data protection. Masking, data classification, and permission restrictions are other strategies that can help protect data, but they may not be sufficient or applicable for data stored on laptops. Masking is a technique that obscures sensitive data elements, such as credit card numbers, with random characters or symbols, but it is usually used for data in transit or in use, not at rest. Data classification is a process that assigns labels to data based on its sensitivity and business impact, but it does not protect the data itself. Permission restrictions are rules that define who can access, modify, or delete data, but they may not prevent unauthorized access if the laptop is stolen and the security controls are bypassed. Reference: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 17-18, 372-373
質問 # 80
侵入テストにより、ドメイン管理者アカウントがパスザハッシュ攻撃に対して脆弱であることが実証されました。脅威アクターがドメイン管理者アカウントを使用するのを防ぐための最善の戦略は次のどれでしょうか?
- A. ドメイン コントローラーのアクセスを監視するための IDS ポリシーを作成します。
- B. グループ ポリシーを使用してパスワードの有効期限を強制します。
- C. 特権アクセス管理ソリューションを実装します。
- D. 各ドメイン管理者アカウントのパスワードコンプライアンスを毎週監査します。
正解:C
解説:
Detailed Explanation:Privileged access management (PAM) solutions effectively mitigate pass-the-hash attacks by enforcing least privilege and session management for administrative accounts. These tools restrict how and when credentials can be accessed, thereby reducing attack surfaces. Reference: CompTIA Security+ SY0-701 Study Guide, Domain 2: Vulnerabilities, Section: "Mitigation Techniques".
質問 # 81
次のどれがハードウェア固有の脆弱性ですか?
- A. バッファオーバーフロー
- B. SQLインジェクション
- C. ファームウェアバージョン
- D. クロスサイトスクリプティング
正解:C
解説:
Firmware is a type of software that is embedded in a hardware device, such as a router, a printer, or a BIOS chip. Firmware controls the basic functions and operations of the device, and it can be updated or modified by the manufacturer or the user. Firmware version is a hardware-specific vulnerability, as it can expose the device to security risks if it is outdated, corrupted, or tampered with. An attacker can exploit firmware vulnerabilities to gain unauthorized access, modify device settings, install malware, or cause damage to the device or the network. Therefore, it is important to keep firmware updated and verify its integrity and authenticity. Reference = CompTIA Security+ Study Guide with over 500 Practice Test Questions: Exam SY0-701, 9th Edition, Chapter 2, page 67. CompTIA Security+ SY0-701 Exam Objectives, Domain 2.1, page 10.
質問 # 82
セキュリティ エンジニアは、攻撃中に増加するさまざまなトラフィック タイプの影響を最小限に抑えるために NGFW を構成する必要があります。エンジニアが構成する可能性が高いルールのタイプは次のうちどれですか。
- A. 署名ベース
- B. URLベース
- C. エージェントベース
- D. 行動ベース
正解:D
解説:
To minimize the impact of the increasing number of various traffic types during attacks, a security engineer is most likely to configure behavioral-based rules on a Next-Generation Firewall (NGFW). Behavioral-based rules analyze the behavior of traffic patterns and can detect and block unusual or malicious activity that deviates from normal behavior.
Behavioral-based: Detects anomalies by comparing current traffic behavior to known good behavior, making it effective against various traffic types during attacks.
Signature-based: Relies on known patterns of known threats, which might not be as effective against new or varied attack types.
URL-based: Controls access to websites based on URL categories but is not specifically aimed at handling diverse traffic types during attacks.
Agent-based: Typically involves software agents on endpoints to monitor and enforce policies, not directly related to NGFW rules.
質問 # 83
次の脅威アクターのうち、巨額の資金を使って他国にある重要なシステムを攻撃する可能性が高いのはどれですか?
- A. 未熟な攻撃者
- B. ハクティビスト
- C. インサイダー
- D. 国民国家
正解:D
解説:
A nation-state is a threat actor that is sponsored by a government or a political entity to conduct cyberattacks against other countries or organizations. Nation-states have large financial resources, advanced technical skills, and strategic objectives that may target critical systems such as military, energy, or infrastructure. Nation-states are often motivated by espionage, sabotage, or warfare12. Reference = 1: CompTIA Security+ SY0-701 Certification Study Guide, page 542: Threat Actors - CompTIA Security+ SY0-701 - 2.1, video by Professor Messer.
質問 # 84
マネージャーは、払い戻しを受けるためのリンクが記載されたメールを受け取りました。リンクの上にマウスを移動した後、マネージャーはドメインの URL が疑わしいリンクを指していることに気付きました。次のセキュリティ対策のうち、マネージャーが攻撃を特定するのに役立ったのはどれですか。
- A. プレーンテキストメール
- B. ポリシーの見直し
- C. URLスキャン
- D. エンドユーザートレーニング
正解:D
解説:
The security practice that helped the manager identify the suspicious link is end-user training.
Training users to recognize phishing attempts and other social engineering attacks, such as hovering over links to check the actual URL, is a critical component of an organization's security awareness program.
End user training: Educates employees on how to identify and respond to security threats, including suspicious emails and phishing attempts.
Policy review: Ensures that policies are understood and followed but does not directly help in identifying specific attacks.
URL scanning: Automatically checks URLs for threats, but the manager identified the issue manually.
Plain text email: Ensures email content is readable without executing scripts, but the identification in this case was due to user awareness.
質問 # 85
ある顧客がセキュリティ会社に、プロジェクトの概要、コスト、完了までの期間を記載した文書を提供するよう依頼しました。次の文書のうち、会社が顧客に提供すべきものはどれですか。
- A. MSA
- B. BPA
- C. SLA
- D. SOW
正解:D
解説:
An ISOW is a document that outlines the project, the cost, and the completion time frame for a security company to provide a service to a client. ISOW stands for Information Security Operations Work, and it is a type of contract that specifies the scope, deliverables, milestones, and payment terms of a security project. An ISOW is usually used for one-time or short-term projects that have a clear and defined objective and outcome. For example, an ISOW can be used for a security assessment, a penetration test, a security audit, or a security training. The other options are not correct because they are not documents that outline the project, the cost, and the completion time frame for a security company to provide a service to a client. A MSA is a master service agreement, which is a type of contract that establishes the general terms and conditions for a long-term or ongoing relationship between a security company and a client. A MSA does not specify the details of each individual project, but rather sets the framework for future projects that will be governed by separate statements of work (SOWs). A SLA is a service level agreement, which is a type of contract that defines the quality and performance standards for a security service provided by a security company to a client. A SLA usually includes the metrics, targets, responsibilities, and penalties for measuring and ensuring the service level. A BPA is a business partnership agreement, which is a type of contract that establishes the roles and expectations for a strategic alliance between two or more security companies that collaborate to provide a joint service to a client. A BPA usually covers the objectives, benefits, risks, and obligations of the partnership.
質問 # 86
......
あなたを合格させるCompTIA試験にはSY0-701日本語試験問題集:https://www.goshiken.com/CompTIA/SY0-701-JPN-mondaishu.html