CompTIA Updated SY0-701 Exam Questions and Answers by harlen

Injecting malicious payloads into a hypervisor and accessing the host system is an example of VM escape, where the isolation between virtual machines and the host breaks down, allowing unauthorized control.

Cross-site scripting (B), malicious updates (C), and SQL injection (D) are unrelated to hypervisor host access.

VM escape is a critical vulnerability unique to virtualized environments described in SY0-701【6:Chapter 2†CompTIA Security+ Study Guide】.

The best answer is B. Providing an alternative security measure when standard remediation is not feasible.

A compensating control is a substitute safeguard used when the preferred or required control cannot be implemented immediately or at all. It helps reduce risk in another way until proper remediation is possible, or when direct remediation is impractical.

Examples include:

increasing monitoring when a system cannot be patched

segmenting a legacy application that cannot be upgraded

restricting access to a vulnerable system that must remain in service

Why the other options are incorrect:

A. Reducing the attack surface by isolating vulnerable components within a segmented environmentThis can be an example of a compensating control, but it does not define the overall role as clearly as B.

C. Delaying remediation timelines by replacing affected systems in a maintenance windowThis describes scheduling or change timing, not compensating controls.

D. Remediating software flaws by modifying source code to remove insecure functionsThis is direct remediation, not a compensating control.

From the SY0-701 perspective, compensating controls are used when the ideal fix is not possible, so B is the best explanation.

Virtualization (D)allows multiple systems and services to be hosted onfewer physical machines, therebyreducing the total number of physical devicesand consequently thehardware attack surface. This also allows for better patching, monitoring, and control.

The fewer devices you manage physically, the fewer entry points there are for attackers to exploit hardware-level vulnerabilities.

The best answer is A. Ensure the firewall data plane moves to fail-closed mode.

The key requirement is that the company prioritizes confidentiality over availability. In a failure or security event, a fail-closed firewall blocks traffic rather than allowing traffic to continue through an untrusted or degraded state.

This choice protects sensitive business data, even if it temporarily interrupts transactions.

Why the other options are incorrect:

B. Implement a deny-all rule as the last firewall ACL rule.This is a standard best practice, but it does not specifically address behavior during a security event.

C. Prioritize business-critical application traffic through the firewall.This emphasizes availability and performance, not confidentiality.

D. Configure rate limiting between the firewall interfaces.Rate limiting can help with traffic control, but it is not the best match for the stated priority.

From a Security+ standpoint, when confidentiality is more important than uptime, fail closed is the correct choice.