CompTIA Security+ Q & A

Explanation: Digital signatures ensure non-repudiation — proving who sent the data. A2.

Explanation: Nation-state actors have the highest resources, skills, and patience for prolonged attacks. A3.

Explanation: XSS injects malicious scripts into web apps to steal session cookies, data, etc. A4.

Explanation: NAC checks device health and enforces policies before allowing network access. A5.

Explanation: Incremental backup captures only changes since the last full backup. A6.

Explanation: Biometric scanners are physical controls that authenticate users. A7.

Explanation: WPA3-Enterprise is the most secure option for business wireless networks. A8.

Explanation: Training users helps them recognize phishing attempts and avoid falling victim. AG.

Explanation: Buying insurance transfers the financial risk to another party. A1O.

Explanation: Role-Based Access Control (RBAC) assigns permissions based on user job roles. Questions 11–2O Q11. Which term describes an attack where an unauthorized device connects to a corporate wireless network? Rogue AP Evil Twin Bluejacking MAC Spoofing Q12. What type of malware disguises itself as a legitimate program but delivers a malicious payload? Worm Ransomware Trojan Rootkit Q13. Which process helps ensure that only needed ports and services are running on a server? Network segmentation Baseline configuration Change management Hardening Q14. A database administrator is setting access so that users only have permission to view certain data. Which principle is being applied? Separation of Duties Need-to-Know Non-repudiation Risk Transference Q15. Which option BEST describes a warm site in disaster recovery planning? Fully operational copy of the production environment Facility with basic hardware but not real-time data Empty building with power and Internet only Vendor-provided cloud backup solution Q16. Which technology would a company use to detect unauthorized changes to critical system files? DLP File Integrity Monitoring (FIM) SIEM HIDS Q17. A phishing attack led to a ransomware infection. Which two controls would have BEST prevented the incident? (Choose two.) Data Encryption Email Filtering Security Awareness Training RAID 5 Q18. Which type of access control is enforced by system policies rather than user discretion? DAC RBAC ABAC MAC Q1G. What is the primary purpose of a honeypot? Encrypt sensitive data Divert attackers away from real systems Patch vulnerabilities Enforce firewall rules Q2O. Which incident response phase involves learning lessons and updating the incident response plan after a security event? Detection Containment Recovery Lessons Learned

Explanation: An evil twin is a rogue Wi-Fi access point set up to mimic a legitimate network. A12.

Explanation: A trojan appears legitimate but delivers malicious code once executed. A13.

Explanation: Hardening reduces attack surface by disabling unnecessary services. A14.

Explanation: Need-to-know restricts data access to only necessary users. A15.

Explanation: Warm sites have equipment ready but need configuration and data loading. A16.

Explanation: FIM detects unauthorized changes to files. A17.

Explanation: Filtering blocks phishing emails; training teaches users to recognize them. A18.

Explanation: Mandatory Access Control (MAC) strictly enforces security policies. A1G.

Explanation: Honeypots attract attackers to fake systems to study them. A2O.

Explanation: Post-incident analysis improves future responses. Questions 21–3O Q21. Which of the following BEST describes a risk mitigation strategy? Ignoring a low-probability event Purchasing cyber insurance Installing a firewall to block threats Documenting a risk acceptance form Q22. An attacker is trying multiple passwords against many different user accounts. What is this called? Dictionary Attack Brute Force Attack Password Spraying Rainbow Table Attack Q23. What is the purpose of a disaster recovery plan (DRP)? Prevent data breaches Maintain operations during an attack Restore critical business systems after disruption Identify vulnerabilities before attacks occur Q24. Which concept ensures that sensitive data is only accessible to authorized individuals? Integrity Confidentiality Availability Authentication Q25. Which of the following BEST describes a vulnerability scanner? Blocks malicious traffic at the network perimeter Actively exploits vulnerabilities Passively identifies potential weaknesses Encrypts sensitive communications Q26. Which of the following technologies uses security groups and microsegmentation to enhance cloud security? VPNs Infrastructure as Code Cloud-native firewalls Software-Defined Networking (SDN) Q27. A system administrator wants to monitor failed login attempts centrally. Which system should be deployed? SIEM NAC DLP SOAR Q28. Which attack occurs when a malicious actor manipulates a DNS server to redirect traffic to fraudulent websites? DNS Poisoning Domain Hijacking IP Spoofing ARP Poisoning Q2G. A company requires users to authenticate once and then have access to multiple systems without re-entering credentials. Which solution BEST meets this requirement? Federation LDAP Multifactor Authentication VPN Q3O. Which backup strategy would provide the QUICKEST recovery time in case of a server failure? Full Backup Differential Backup Incremental Backup Snapshot Backup

Explanation: Mitigation adds controls to reduce risk likelihood or impact. A22.

Explanation: Password spraying tries common passwords across many accounts to avoid lockout. A23.

Explanation: DRP focuses on system recovery after disaster events. A24.

Explanation: Confidentiality ensures sensitive data isn't disclosed to unauthorized users. A25.

Explanation: Vulnerability scanners find weaknesses but don’t exploit them. A26.

Explanation: SDN uses segmentation and programmable security in cloud environments. A27.

Explanation: SIEM collects and analyzes logs, including login failures. A28.

Explanation: DNS poisoning manipulates DNS to redirect users to malicious sites. A2G.

Explanation: Federation allows single authentication across multiple domains or systems. A3O.

Explanation: Snapshots allow rapid rollback to a known good system state. Questions 31–4O Q31. Which principle ensures that users are granted only the access necessary to perform their job functions? Separation of Duties Need-to-Know Least Privilege Role-Based Access Control Q32. An attacker captures data from a public Wi-Fi network without connecting to it. Which attack is being performed? Evil Twin On-Path Attack (MITM) Passive Eavesdropping Session Hijacking Q33. What is the PRIMARY goal of a business impact analysis (BIA)? Identify and prioritize critical business functions Analyze threats against network security Determine security control effectiveness Perform a penetration test Q34. What type of backup method would you use if you want to store only the changes made since the last full backup AND you want fast recovery? Incremental Full Differential Snapshot Q35. Which of the following technologies BEST protects against on-path (Man-in-the-Middle) attacks? VLAN IPS VPN RAID Q36. During which incident response phase would you isolate a compromised server? Recovery Containment Lessons Learned Identification Q37. What security principle is enforced when employees are required to use two different passwords for administrative and non-administrative accounts? Separation of Duties Least Privilege Defense in Depth Dual Control Q38. Which cloud model allows the customer the MOST control over the operating system and applications? SaaS PaaS IaaS FaaS Q3G. What is a PRIMARY security concern with Infrastructure as Code (IaC)? Outdated server hardware Rapid spread of misconfigurations Vendor lock-in Poor network performance Q4O. An attacker sends unsolicited Bluetooth messages to nearby devices. What attack is this? Bluesnarfing Bluebugging Bluejacking Bluespoofing

Explanation: Least privilege gives users only necessary access rights to do their jobs. A32.

Explanation: Passive eavesdropping listens to network traffic without active interception. A33.

Explanation: BIA identifies essential processes and their recovery priorities. A34.

Explanation: Differential backups capture changes since last full backup and restore faster than incremental. A35.

Explanation: VPNs encrypt traffic, preventing interception and tampering in on-path attacks. A36.

Explanation: Containment limits the spread of the incident, like isolating a server. A37.

Explanation: Separating credentials for admin and user accounts supports separation of duties. A38.

Explanation: In Infrastructure as a Service (IaaS), the customer manages OS, apps, and configurations. A3G.

Explanation: IaC errors can quickly replicate insecure settings across environments. A4O.

Explanation: Bluejacking involves sending unsolicited Bluetooth messages to devices. Questions 41–5O Q41. Which of the following BEST describes a cold site? Operational data center ready for immediate use Empty facility with basic infrastructure like power and HVAC Fully equipped center with real-time data replication Offsite cloud backup provider Q42. Which access control method enforces strict policies based on security labels such as “Confidential” or “Top Secret”? DAC RBAC MAC ABAC Q43. An employee plugs a personal USB drive into a company workstation without approval. What risk does this primarily represent? Insider Threat Phishing Attack Supply Chain Attack Business Email Compromise Q44. Which protocol secures email communication by digitally signing and encrypting messages? TLS S/MIME SSH SSL Q45. Which type of control is implementing a security awareness training program? Physical Technical Preventive Administrative Q46. What is the MOST appropriate tool to use when wanting to aggregate, correlate, and analyze logs from multiple systems? VPN Firewall SIEM NAC Q47. Which of the following would MOST help prevent unauthorized physical access to a data center? IDS Biometric Access Controls VPN Anti-Malware Q48. What security concept involves separating services and functions into isolated containers to minimize the attack surface? Microsegmentation Defense in Depth Least Privilege Data Sovereignty Q4G. An attacker successfully tricks a user into giving up login credentials via a fake login page. What attack technique was used? Spear Phishing Vishing Smishing Pharming Q5O. Which phase of the incident response process involves finding and removing malware from infected systems? Preparation Containment Eradication Lessons Learned

Explanation: A cold site is ready with essentials but needs equipment and data to become operational. A42.

Explanation: Mandatory Access Control uses labels like “Top Secret” to strictly control access. A43.

Explanation: Unauthorized devices plugged into company systems pose insider risks. A44.

Explanation: S/MIME secures email with digital signatures and encryption. A45.

Explanation: Security training programs are administrative controls (policy/procedure related). A46.

Explanation: A SIEM collects and analyzes logs from across the enterprise. A47.

Explanation: Biometrics (like fingerprints) are effective physical security measures. A48.

Explanation: Microsegmentation isolates workloads to minimize lateral movement risk. A4G.

Explanation: Spear phishing targets individuals with highly customized fake login pages. A5O.

Explanation: Eradication is when you remove malware or vulnerabilities after containment. Questions 51–6O Q51. Which security tool uses signatures and anomaly detection to identify malicious network traffic? Firewall SIEM IDS DLP Q52. A company wants to ensure that employees can recover their files after a ransomware attack without paying the ransom. Which control BEST achieves this? IDS Regular Offline Backups VPN Access Email Filtering Q53. Which of the following is MOST critical to maintain when preserving digital evidence? Full Disk Encryption Legal Hold Chain of Custody Incident Triage Q54. A company configures a cloud storage bucket and mistakenly leaves it open to the public. What type of vulnerability is this? Zero-Day Misconfiguration Insider Threat Malware Infection Q55. Which layer of the OSI model does a firewall operate primarily at? Application Transport Network Data Link Q56. What security concept is enforced when two employees are required to approve a wire transfer above a certain dollar amount? Dual Control Least Privilege Discretionary Access Control Federation Q57. Which cryptographic concept is used to ensure message integrity? Symmetric Encryption Asymmetric Encryption Hashing Key Exchange Q58. What is the purpose of tokenization in data security? Encrypt sensitive data Replace sensitive data with non-sensitive placeholders Hash sensitive data Create a secure communication channel Q5G. Which type of backup provides the FASTEST full system recovery after a catastrophic failure? Incremental Full Backup Differential Cloud Backup Q6O. A team uses a sandbox environment to open suspicious files. What type of control is this? Preventive Detective Corrective Compensating

Explanation: An IDS detects threats by matching signatures or identifying anomalies. A52.

Explanation: Offline backups protect against ransomware by providing safe recovery data. A53.

Explanation: Chain of custody ensures evidence integrity for legal use. A54.

Explanation: Leaving a cloud bucket public is a classic misconfiguration vulnerability. A55.

Explanation: Firewalls operate mainly at Layer 3 (Network layer) — managing IP addresses and traffic. A56.

Explanation: Dual control requires two people to authorize a sensitive action. A57.

Explanation: Hashing ensures data integrity by generating a fixed fingerprint of data. A58.

Explanation: Tokenization replaces real data with fake tokens to protect sensitive information. A5G.

Explanation: Full backups allow the quickest recovery without relying on incremental data restoration. A6O.

Explanation: Sandboxes are preventive, isolating suspicious files before damage can occur. Questions 61–7O Q61. Which of the following is a PRIMARY characteristic of a rootkit? Encrypts files and demands ransom Hides its existence by manipulating the OS Replicates itself across the network Sends unsolicited messages via Bluetooth Q62. An organization wants to minimize data loss during a disaster. Which metric defines the maximum amount of data loss acceptable? RTO MTD RPO ALE Q63. Which wireless security protocol is considered obsolete and should NOT be used? WPA2 WPA WPA3 WEP Q64. A system administrator is deploying security patches to all systems automatically after testing. This is an example of: Change Management Patch Management Hardening Incident Response Q65. What type of malware restricts access to a system until payment is made? Trojan Worm Spyware Ransomware Q66. Which term describes isolating different departments in a network to improve security? Subnetting Virtualization Network Segmentation Packet Filtering Q67. What concept does the principle of "never trust, always verify" relate to? VPN Zero Trust Single Sign-On Role-Based Access Control Q68. Which tool is specifically designed to discover vulnerabilities in a system but NOT exploit them? Penetration Test Exploit Framework Vulnerability Scanner SIEM Q6G. An employee receives a fake call pretending to be IT support asking for a password. What attack is this? Phishing Vishing Smishing Spear Phishing Q7O. A user logs into an internal website using a badge and PIN. What authentication factors are being used? Something you know and something you are Something you know and something you have Something you have and something you are Two instances of something you know

Explanation: Rootkits hide their presence by modifying OS functions to avoid detection. A62.

Explanation: Recovery Point Objective defines the maximum acceptable data loss. A63.

Explanation: WEP is outdated and insecure — easily cracked in minutes. A64.

Explanation: Patch management involves scheduling and deploying updates systematically. A65.

Explanation: Ransomware encrypts systems/files and demands payment for access. A66.

Explanation: Segmentation isolates different parts of the network for better control and security. A67.

Explanation: Zero Trust always requires verification, regardless of network location. A68.

Explanation: Vulnerability scanners detect weaknesses without active exploitation. A6G.

Explanation: Vishing is phishing conducted over the telephone. A7O.

Explanation: PIN = something you know; Badge = something you have. Questions 71–8O Q71. Which technology allows secure remote access to a corporate network by encrypting all traffic? VLAN IDS VPN Proxy Server Q72. An employee leaves a confidential document on a shared printer. What kind of risk is this? Insider Threat Physical Security Risk Supply Chain Risk Malware Infection Q73. Which of the following would MOST effectively prevent malware from executing on endpoints? Application Allowlisting IDS Deployment SSL/TLS Encryption Role-Based Access Control Q74. A company requires that users verify their identity using a username, password, and fingerprint scan. This is an example of: Multi-Factor Authentication Federation SSO Kerberos Authentication Q75. Which security principle ensures that critical functions are divided among multiple people to prevent fraud? Least Privilege Separation of Duties Job Rotation Dual Control Q76. What technique is used by attackers to overload a server with requests, causing service disruption? SQL Injection DNS Poisoning DDoS Attack ARP Spoofing Q77. Which of the following devices inspects and filters packets based on application-level data? Traditional Firewall Proxy Server Next-Generation Firewall (NGFW) Router Q78. Which method ensures that a user cannot deny performing an action, such as sending an email? Non-Repudiation Availability Encryption Role-Based Access Control Q7G. An attacker exploits a race condition in a web application. What is this an example of? Improper Input Handling Application Logic Flaw Secure Coding Practice Race Attack Vulnerability Q8O. Which of the following is a benefit of implementing Infrastructure as Code (IaC) securely? Manual configuration of servers Consistent and repeatable deployments Physical separation of networks Encrypted communication tunnels

Explanation: A VPN encrypts data between remote users and corporate networks. A72.

Explanation: Leaving sensitive documents in shared spaces risks unauthorized access. A73.

Explanation: Only approved apps can run, blocking unknown malware. A74.

Explanation: Using two or more different authentication types (password + fingerprint). A75.

Explanation: No one person controls all parts of a critical process, preventing fraud. A76.

Explanation: Distributed Denial of Service floods a server with traffic. A77.

Explanation: NGFWs inspect packets deeply, including application-level data. A78.

Explanation: Non-repudiation ensures proof of actions like sending emails. A7G.

Explanation: Race conditions exploit timing issues in applications. A8O.

Explanation: IaC enables secure, automated, consistent infrastructure setup. Questions 81–GO Q81. Which of the following BEST describes the primary benefit of implementing a SIEM system? Blocking unauthorized access attempts Preventing malware infections Aggregating and analyzing security logs centrally Encrypting sensitive data at rest Q82. What is the MAIN purpose of a DLP (Data Loss Prevention) system? Detect malware signatures Monitor unauthorized data transfers Block phishing emails Scan networks for vulnerabilities Q83. An attacker tricks a user into resetting their password by spoofing a legitimate password reset page. What kind of attack is this? Phishing SQL Injection Session Hijacking Privilege Escalation Q84. Which backup method copies only the files that have changed since the last backup, no matter what type it was? Full Incremental Differential Snapshot Q85. What does the principle of Defense in Depth emphasize? Using multiple layers of security controls Deploying only firewalls at the network perimeter Using two-factor authentication for all logins Relying primarily on SIEM alerts Q86. Which of the following is an example of an administrative control? Fire extinguisher in server room Firewall rules Security awareness policy Encryption of data at rest Q87. A SOC analyst notices large outbound traffic to an unknown IP. What is the BEST immediate action? Shut down all network switches Disconnect affected systems Reboot affected systems Call the ISP Q88. Which term describes unauthorized commands sent from a user’s browser to a trusted website? Cross-Site Scripting (XSS) SQL Injection Command Injection Cross-Site Request Forgery (CSRF) Q8G. Which of the following technologies enables a single identity to access multiple applications across different domains? Multifactor Authentication Federation VPN Zero Trust QGO. What is the FIRST action to take when you detect an active ransomware infection? Pay the ransom Disconnect infected systems from the network Run antivirus scan Contact cloud backup provider

Explanation: SIEM systems collect logs from multiple sources for centralized analysis. A82.

Explanation: DLP systems prevent sensitive data from leaving the network. A83.

Explanation: Spoofed password reset pages are classic phishing attacks. A84.

Explanation: Incremental backups save changes since the last backup (full or incremental). A85.

Explanation: Defense in Depth means no single point of failure. A86.

Explanation: Administrative controls include policies and procedures. A87.

Explanation: Disconnect immediately to prevent further data exfiltration. A88.

Explanation: CSRF tricks users into executing unwanted actions. A8G.

Explanation: Federation allows single login across multiple organizations/systems. AGO.

Explanation: Isolate first to stop the spread of ransomware. Questions G1–1OO QG1. Which of the following terms describes preventing unauthorized access by forcing a user to authenticate again after a period of inactivity? Session Lock Password Complexity Single Sign-On Federation QG2. What type of test involves assessing the physical, administrative, and technical safeguards without exploiting vulnerabilities? Vulnerability Scan Penetration Test Risk Assessment Business Impact Analysis QG3. Which component is critical for ensuring confidentiality when sending sensitive data across the Internet? Hashing Encryption Load Balancing IDS QG4. What is the purpose of implementing redundant power supplies in servers? Improve encryption performance Increase network bandwidth Enhance system availability Provide faster processing QG5. Which of the following MOST accurately defines tokenization? Encrypting all data in a database Replacing sensitive data elements with a unique identifier Hashing user passwords before storage Obfuscating source code to protect intellectual property QG6. An attacker uses a vulnerability in a software program that has not yet been patched. What kind of attack is this? Zero-Day Man-in-the-Middle Cross-Site Scripting Phishing QG7. What is the BEST method to mitigate the impact of social engineering attacks? Install firewalls Security Awareness Training Regular Penetration Testing Conduct Full Backups QG8. Which type of malware is specifically designed to provide persistent, hidden access to a compromised system? Ransomware Trojan Rootkit Worm QGG. A backup strategy uses the Grandfather-Father-Son method. What is this primarily designed to achieve? Ensure zero data loss Maintain multiple historical versions of backups Accelerate disaster recovery Improve real-time replication Q1OO. What security tool intercepts and controls traffic between a user and the Internet to enforce company policies? Firewall VPN Proxy Server Load Balancer

Explanation: Session locks require reauthentication after inactivity to prevent unauthorized access. AG2.

Explanation: Risk assessments evaluate safeguards without actively exploiting vulnerabilities. AG3.

Explanation: Encryption protects data confidentiality during transmission. AG4.

Explanation: Redundant power supplies help keep servers running during power failures. AG5.

Explanation: Tokenization swaps real data for safe, meaningless tokens. AG6.

Explanation: Zero-day attacks exploit unknown or unpatched vulnerabilities. AG7.

Explanation: Training users helps them recognize and avoid social engineering. AG8.

Explanation: Rootkits maintain hidden, persistent access by deeply integrating with systems. AGG.

Explanation: Grandfather-Father-Son rotation ensures backup version history. A1OO.

Explanation: Proxies filter, control, and log user Internet traffic to enforce policies.