CompTIA Security+ (SY0-701) — Question 174

An administrator was notified that a user logged in remotely after hours and copied large amounts of data to a personal device.
Which of the following best describes the user’s activity?

Answer options

• A. Penetration testing
• B. Phishing campaign
• C. External audit
• D. Insider threat

Correct answer: D

Explanation

The correct answer is D, Insider threat, as the user is an internal employee who is misusing their access to transfer sensitive data. Options A, B, and C do not apply because penetration testing is authorized testing, phishing is a type of attack on users, and external audits involve third parties evaluating security, none of which fit the scenario described.