40 questions / 10 random questions
Random questions, instant feedback, and review for missed questions.
View recommended CompTIA Security+ resources →
Which CIA-triad element ensures that only authorized users can read customer data?
Answer: Confidentiality
Confidentiality limits information disclosure to authorized entities.
What is commonly used to verify that a file has not changed?
Answer: Compare it with a trusted hash
A cryptographic hash can detect content changes and support integrity verification.
What does authentication using a password plus a security key provide?
Answer: Multi-factor authentication using different factor types
A password is knowledge and a security key is possession, so the combination is MFA.
Why is symmetric encryption commonly used for bulk data encryption?
Answer: It is generally faster than asymmetric encryption
Symmetric encryption is fast, but its shared key must be distributed and stored securely.
What is most important before changing a production firewall rule?
Answer: Prepare impact analysis, approval, testing, and rollback
Managed change evaluates security and availability impact and enables recovery from failure.
What is a targeted message impersonating an executive to request an urgent transfer?
Answer: Business Email Compromise
BEC impersonates trusted executives or partners to induce payment or data disclosure.
Which malware encrypts files and demands payment for recovery?
Answer: Ransomware
Ransomware defenses include offline backups, patching, restricted privileges, detection, and response exercises.
Input such as ' OR 1=1 -- appears in a web request. Which attack is likely?
Answer: SQL injection
Parameterized queries and validation prevent input from being interpreted as SQL syntax.
Which web vulnerability causes attacker-controlled script to run in a user's browser?
Answer: Cross-Site Scripting
XSS is mitigated with output encoding, safe templates, and defenses such as CSP.
Which attack floods a service with traffic from many sources?
Answer: Distributed Denial of Service
DDoS exhausts resources with distributed traffic and reduces availability.
What is a previously unknown or unpatched vulnerability exploited before a fix is available commonly called?
Answer: A zero-day vulnerability
Defense against zero-days relies on layered controls such as behavioral detection, segmentation, and least privilege.
Which attack tries credentials leaked from one service against other services?
Answer: Credential stuffing
Credential stuffing automates reuse of leaked credentials; MFA and unique passwords reduce risk.
What attack category compromises a legitimate vendor update to distribute malware?
Answer: A software supply-chain attack
Signature verification, SBOMs, dependency pinning, and vendor assessment reduce supply-chain risk.
Which control helps detect insecure server configuration before production?
Answer: Configuration scanning against a secure baseline
Baseline comparison and policy as code can detect drift and unsafe settings early.
Which statement reflects a core Zero Trust principle?
Answer: Do not trust location alone; verify continuously and grant least privilege
Zero Trust emphasizes explicit verification, least privilege, and assuming breach.
Which design limits lateral movement from a compromised endpoint to critical servers?
Answer: Network segmentation with strict access controls
Segmentation separates trust boundaries and limits blast radius and lateral movement.
What is a common architecture for separating a public web server from an internal database?
Answer: Place the web tier in a DMZ and the database in an internal segment
Tier separation and narrowly allowed ports reduce impact if the public system is compromised.
Which combination protects both data at rest and data in transit?
Answer: Storage encryption and TLS
Data at rest and in transit require different controls; Base64 is not encryption.
What is the security objective of deploying a service across multiple regions?
Answer: Improved resilience and availability
Separating failure domains improves tolerance of a regional outage.
What does an RPO of four hours mean?
Answer: Up to about four hours of data loss is acceptable
RPO expresses acceptable data loss; RTO expresses target recovery time.
What is a primary role of a SIEM?
Answer: Aggregate and correlate logs to support alerts and investigations
A SIEM centrally analyzes events and provides context for detection, triage, and investigation.
What does EDR primarily provide on endpoints?
Answer: Behavior monitoring, detection, investigation, and response such as isolation
EDR collects endpoint telemetry and supports detection and response to suspicious activity.
What is appropriate after a scanner reports a critical vulnerability?
Answer: Validate asset context, exposure, and exploitability; remediate by priority and rescan
Risk-based vulnerability management cycles through validation, prioritization, remediation, and verification.
What should be done whenever possible before an emergency patch?
Answer: Assess impact, prepare backup or rollback, record approval, and monitor afterward
Even emergencies need streamlined change control and recovery preparation to limit secondary failures.
What is the highest-priority action for a departing employee's account?
Answer: Disable access at the approved offboarding time and recover credentials or assets
A joiner-mover-leaver process synchronizes access lifecycle with HR events.
Which practice is appropriate for privileged accounts?
Answer: Separate them from daily accounts and use MFA, PAM, and session recording
Privileged use should be limited, approved, recorded, and separated from ordinary activity.
What is important early in incident response before containment?
Answer: Triage scope and impact, preserve evidence, and establish communications
Early response preserves situational awareness, evidence chain, and coordination for containment decisions.
Why isolate a compromised endpoint from the network?
Answer: Limit lateral movement and external communication while preserving the system for investigation
Isolation is containment; eradication and recovery are separate phases.
Why record a hash when acquiring a forensic image?
Answer: To verify evidence integrity after acquisition
Matching acquisition and analysis hashes demonstrates that evidence has not changed.
What is a common goal of SOAR?
Answer: Automate repeatable alert enrichment and response workflows
SOAR automates repeatable playbooks so analysts can focus on higher-value decisions.
Why is asset inventory important to security operations?
Answer: It identifies owners, criticality, software, and patch state for response scope
Without knowing what exists, patching, monitoring, and incident scoping cannot be managed well.
How should inconsistent timestamps across security logs be addressed?
Answer: Synchronize time using authenticated NTP or equivalent and standardize time zones
Accurate time is essential for event correlation, timelines, and evidentiary value.
What is the basic formula for annualized loss expectancy?
Answer: SLE × ARO
ALE estimates annual loss by multiplying single loss expectancy by annualized rate of occurrence.
Which is an example of transferring risk?
Answer: Purchase cyber insurance
Insurance transfers part of financial impact, but does not eliminate all responsibility or loss.
What should be understood early in a third-party vendor assessment?
Answer: Data handled, access scope, subcontractors, controls, and incident-notification duties
Understanding data flows, access, and contractual duties enables inherent and residual risk assessment.
Which statement correctly relates policy, standards, and procedures?
Answer: Policy sets direction, standards set mandatory criteria, and procedures give steps
The hierarchy translates governance direction into enforceable criteria and executable steps.
What is a primary responsibility of a data owner?
Answer: Determine data classification and access requirements
The owner approves classification, use, and protection requirements based on business value and risk.
What is the purpose of a tabletop exercise?
Answer: Discuss a scenario to find gaps in roles, decisions, communications, and procedures
A tabletop exercise tests response plans and coordination with low operational risk.
What is an appropriate improvement after a phishing simulation?
Answer: Analyze results and use them for non-punitive targeted education and better reporting
Awareness programs should improve behavior and early reporting through measured, continuous improvement.
What should a security exception include?
Answer: Business justification, risk owner, compensating controls, expiry, and review
Exceptions transparently accept or mitigate risk and need expiry and reassessment to avoid becoming permanent.