CompTIA SY0-701 Actual Questions

An Acceptable Use Policy (AUP) defines what users are permitted and prohibited from doing on an organization ' s systems, including website access. Accessing unauthorized sites is a common violation of the AUP.

Data classification is the process of assigning labels to data based on its sensitivity and business impact. Different organizations and sectors may have different data classification schemes, but a common one is the following1:

Public: Data that can be freely disclosed to anyone without any harm or risk.

Private: Data that is intended for internal use only and may cause some harm or risk if disclosed.

Confidential: Data that is intended for authorized use only and may cause significant harm or risk if disclosed.

Restricted: Data that is intended for very limited use only and may cause severe harm or risk if disclosed.

In this scenario, the company is developing a critical system for the government and storing project information on a fileshare. This data is likely to be classified as confidential and restricted, because it is not meant for public or private use, and it may cause serious damage to national security or public safety if disclosed. The government may also have specific requirements or regulations for handling such data, such as encryption, access control, and auditing2. References: 1: CompTIA Security+ Study Guide: Exam SY0-701, 9th Edition, page 16-17 2: Data Classification Practices: Final Project Description Released

The best answer is A. Implementing an update after a board grants approval .

Change management is the formal process used to request, review, approve, test, document, and implement changes to systems and services. A classic example is receiving approval from a change advisory board or similar authority and then implementing the update in a controlled manner.

Why the other options are incorrect:

B. Setting a new password for a user This is a routine administrative task, not formal change management.

C. Performing a penetration test before deploying a patch This may support validation, but it is not itself the best example of the change management process.

D. Auditing all system equipment before sending the list to the Chief Executive Officer This is an audit or inventory activity, not change management.

From a Security+ perspective, controlled changes with formal approval are the clearest example of change management, so A is correct.

Comprehensive and Detailed Explanation From Exact Extract:

VM escape occurs when an attacker inside a virtual machine breaks out of the guest OS and gains access to the underlying host hypervisor or other virtual machines. In this scenario, the penetration tester executes a script to inject a malicious payload that allows access to the host filesystem—this is the textbook definition of VM escape.

The SY0-701 exam specifically identifies VM escape as one of the most critical virtualization vulnerabilities, as it defeats isolation and can compromise entire virtual environments. This typically results from flaws in hypervisor software, improper sandboxing, or insecure VM tools.

Cross-site scripting (B) affects web applications and browsers, not hypervisors. Malicious updates (C) involve tampered patch delivery. SQL injection (D) targets databases through application input fields.

Because the attacker moved from a VM to the host system, the correct classification is VM escape, a high-severity virtualization vulnerability.