CompTIA Security+ Practice Test of the Day 260304

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on subdomain 1.4 (Explain the importance of using appropriate cryptographic solutions.) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260304

10 questions • Single best answer

Question 1

A security engineer at a healthcare organization is designing a system to protect patient records stored in a database. The organization needs to ensure that even if the database is compromised, individual fields containing Social Security Numbers and dates of birth cannot be read by an attacker. The engineer is evaluating whether to use tokenization or data masking, and must choose the approach that allows the original value to be retrieved later through a secure lookup system when authorized personnel need it. Which technique BEST meets this requirement?

A. Data masking, because it permanently replaces sensitive values with realistic-looking substitutes that preserve format B. Tokenization, because it substitutes the original value with a token that can be reverse-mapped through a secure token vault C. Steganography, because it conceals the sensitive data within the database record without altering the visible field D. Hashing, because it produces a fixed-length output that represents the original value and can be reversed with the correct key

Question 2

A penetration tester is reviewing the cryptographic configuration of a legacy web application. The application uses an older TLS implementation that permits the negotiation of cipher suites using RC4 for stream encryption. The tester demonstrates to the client that this configuration can be exploited to force the connection to use a weaker cipher than originally negotiated, reducing the security of the session significantly. Which type of cryptographic attack is the tester describing?

A. Birthday attack, because the attacker is exploiting hash collisions in the cipher negotiation process B. Collision attack, because two cipher suites are being forced to produce the same encrypted output C. Downgrade attack, because the attacker is manipulating the negotiation to force the use of a weaker cipher suite D. Replay attack, because the attacker is reusing previously captured cipher negotiation packets to establish the session

Question 3

Your organization recently deployed a fleet of laptops for field technicians who frequently work in locations without network access. IT leadership is concerned that if a device is lost or stolen, an attacker with physical access could remove the hard drive and read data directly by connecting it to another machine. The security team is evaluating which encryption solution provides the strongest protection specifically against this threat model. Which solution BEST addresses this concern?

A. Volume encryption applied only to the folder containing sensitive project files, since this limits the attack surface to data the organization cares about most B. File-level encryption managed through the operating system's built-in EFS, since it encrypts individual files using the user's credentials C. Full-disk encryption (FDE) using a solution tied to the hardware's TPM chip, since it encrypts the entire drive and requires hardware attestation to unlock D. Database encryption for all records stored locally, since this ensures that structured data cannot be read without application-level authentication

Question 4

A developer at a financial services firm recently submitted a code change that introduces a new user authentication module. During a peer review, a senior security engineer flags that the module stores user passwords as plain MD5 hashes with no additional processing. The engineer explains that this implementation is vulnerable to precomputed lookup table attacks and that a specific additional technique should be applied before hashing. Which technique should the developer implement to mitigate this vulnerability?

A. Key stretching using PBKDF2, because it increases computational cost but does not require any modification to the input value before hashing B. Salting, because it appends a unique random value to each password before hashing, making precomputed lookup tables ineffective C. Digital signatures, because they add a layer of cryptographic verification that prevents the hash from being matched against known values D. Tokenization, because it replaces the password with a token in the database, preventing the hash from being exposed at all

Question 5

An analyst in a SOC is reviewing a TLS certificate for an internal application and notices that the certificate was issued directly by the organization's own CA without any intermediate CA in the chain. Management asks whether this matters from a security standpoint. The analyst explains that in a well-designed PKI, the root CA should be kept offline and signing should be delegated, but also notes a specific risk if the organization's CA certificate itself is ever compromised. Which PKI concept describes the foundational element that establishes the basis of trust in this certificate chain?

A. Certificate Revocation List (CRL), because it is the mechanism through which the organization can invalidate the certificate if the CA is compromised B. Root of trust, because it is the foundational CA whose certificate is inherently trusted and whose compromise would undermine all certificates it has issued C. Certificate Signing Request (CSR), because it is the document submitted to the CA that establishes the identity of the certificate requester D. Online Certificate Status Protocol (OCSP), because it provides real-time validation of whether a certificate in the chain remains valid

Question 6

A security administrator is configuring encryption for a new enterprise application that will securely exchange a symmetric session key between two servers over an untrusted network. The administrator needs to ensure that even if long-term private keys are later compromised, previously recorded encrypted sessions cannot be decrypted by an attacker. The chosen solution must support this property while still using asymmetric cryptography for the initial key exchange. Which property or mechanism BEST satisfies this requirement?

A. Key escrow, because it stores a copy of the encryption key with a trusted third party, allowing recovery of session keys if long-term keys are compromised B. Perfect Forward Secrecy (PFS) using ephemeral Diffie-Hellman key exchange, because it generates a unique session key for each session that is not derived from long-term keys C. Symmetric key exchange using AES-256, because the strength of AES-256 makes it computationally infeasible to decrypt recorded sessions even with knowledge of the private key D. A Hardware Security Module (HSM), because storing the private key in tamper-resistant hardware prevents the long-term key from ever being extracted

Question 7

A compliance officer at a law firm is evaluating the organization's current PKI certificate management practices ahead of a regulatory audit. One concern raised is that the organization has no real-time mechanism for clients to verify whether a certificate has been revoked. It only maintains a periodically published revocation list that clients download on a scheduled basis. Auditors note that the gap between list publications creates a window during which a revoked certificate could still be accepted as valid. Which technology should the organization implement to address this specific gap?

A. Wildcard certificates, because they allow a single certificate to cover multiple subdomains, reducing the number of certificates that need to be tracked for revocation B. Certificate Revocation Lists (CRLs) with a shorter publication interval, because more frequent updates reduce the window during which a revoked certificate is accepted C. Online Certificate Status Protocol (OCSP), because it allows clients to query the CA in real time about the current validity status of a specific certificate D. Self-signed certificates, because they eliminate dependency on the CA's revocation infrastructure since they are not issued through the existing PKI hierarchy

Question 8

A security architect is reviewing the cryptographic approach used by a third-party vendor to verify the integrity and authenticity of software updates pushed to enterprise endpoints. The vendor claims that each update package is cryptographically signed before distribution, and that the endpoint agent verifies the signature before installation. The architect wants to confirm that this process correctly supports both integrity verification and non-repudiation. Which cryptographic mechanism is the vendor describing, and what does it specifically provide?

A. Symmetric encryption of the update package, which provides confidentiality by ensuring only endpoints with the shared key can decrypt and install the update B. Hashing of the update package with SHA-256, which provides integrity by allowing the endpoint to verify the file has not been altered during transit C. A digital signature created with the vendor's private key, which provides both integrity and non-repudiation by cryptographically binding the vendor's identity to the content D. Key exchange using Diffie-Hellman, which establishes a secure channel between the update server and endpoint to prevent interception of the update package

Question 9

During an internal audit, an auditor discovers that a cloud storage system used by the HR department is storing employee W-2 forms, performance reviews, and termination records as unencrypted files in a shared container. The CISO asks the security team to evaluate appropriate encryption strategies. The security team notes that these files are not actively being processed, they are archived and retrieved only occasionally, and the solution must protect against unauthorized access if cloud provider credentials are compromised. Which encryption approach BEST addresses this scenario?

A. Transport encryption using TLS, because it protects the data as it moves between the organization's network and the cloud storage provider B. Full-disk encryption managed by the cloud provider, because it protects the underlying storage volumes from physical access at the data center C. File-level or object-level encryption using keys managed by the organization, because it ensures data at rest is encrypted with keys the cloud provider cannot access D. Database encryption enforced at the application layer, because structured HR records should always be protected using database-native encryption mechanisms

Question 10

A forensic investigator is examining a compromised web server and discovers that an attacker exfiltrated what appeared to be ordinary image files from a publicly accessible directory. Upon closer inspection, the investigator runs a specialized analysis tool and finds that each image contains hidden text embedded within the least significant bits of the pixel data. The hidden content includes internal API keys and configuration strings that the attacker used to pivot deeper into the organization's infrastructure. Which data obfuscation technique did the attacker use to conceal the exfiltrated configuration data?

A. Tokenization, because the attacker replaced sensitive values with non-sensitive stand-ins that could be decoded using a lookup table after exfiltration B. Data masking, because the attacker obscured the configuration strings by substituting them with realistic but fake values hidden inside the image files C. Steganography, because the attacker concealed secret data within an innocuous carrier file, in this case image files, to avoid detection during exfiltration D. Hashing, because the attacker converted the API keys into fixed-length hash values stored within the image metadata to make them unrecognizable

Mug CTA Block

Cybersecurity mugs — Decrypting This Brew & Encrypting My Thoughts

Studying for Security+? This mug was made for late-night practice tests.

🔓 ACCESS_THE_MUG

Take more CompTIA Security+ practice tests

CompTIA Security+ Practice Test of the Day 260304

ByThe Test Master

Related Post

CompTIA Security+ Practice Test of the Day 260410

CompTIA Security+ Practice Test of the Day 260409

CompTIA Security+ Practice Test of the Day 260408

Leave a Reply Cancel reply

You missed

CEH v13 Domain 7.1 Practice Test 002

CEH v13 Domain 6.1 Practice Test 002

CEH v13 Domain 5.3 Practice Test 002

CEH v13 Domain 5.2 Practice Test 002