CompTIA Updated SY0-701 Exam Questions and Answers by kaya

Non-compliance with internal policies, such as corporate security policies, falls under internal non-compliance. These are rules created and enforced within the organization to maintain security standards.

External non-compliance (A) refers to violations of outside regulations or laws. Standards (B) are generally established best practices or industry guidelines, and regulation (C) refers to legal or governmental requirements.

Internal compliance management is a key focus area in the Security Program Management domain of SY0-701【6:Chapter 16†CompTIA Security+ Study Guide】.

The log entries clearly show an attacker attempting to access sensitive system files by manipulating the filename parameter. The use of ../../../ is a classic indicator of a directory traversal attack, also called path traversal. This technique is used to move outside the intended web directory and access restricted locations on the server’s filesystem.

In this case, the attacker is attempting to read:

/etc/passwd — contains user account information

/etc/shadow — contains hashed password entries and is even more sensitive

The CompTIA Security+ SY0-701 exam describes directory traversal as an attack where unvalidated user input allows navigation to system directories, often using sequences like ../ to bypass file path restrictions. This is exactly what is shown in the logs.

File injection (A) would involve inserting malicious files or code, not reading system files.

Privilege escalation (B) requires exploiting a system to gain higher privileges, not just reading files.

Cookie forgery (D) involves manipulating session cookies and does not match the observed behavior.

Because the attacker is using path traversal patterns to access protected files, the correct answer is C. Directory traversal.

CVSS (Common Vulnerability Scoring System) is used to assign severity scores to security vulnerabilities, allowing organizations to assess risk and prioritize remediation efforts. By using CVSS scores, teams can address the most critical vulnerabilities first, based on the potential impact.