CompTIA Security+ Practice Test of the Day 260314

Question 1

A data governance analyst at a financial services firm is conducting a review of the organization's information assets. During the review, she identifies several categories of data: customer account numbers, internal salary records, publicly available press releases, and proprietary trading algorithms developed in-house. The analyst must assign the correct data type label to each asset so that appropriate handling, storage, and protection controls can be applied. The proprietary trading algorithms represent a significant competitive advantage and were developed entirely within the organization over several years. Which data type BEST describes the proprietary trading algorithms?

A. Regulated data B. Trade secret C. Intellectual property D. Financial information

Question 2

An analyst in a SOC observes that an emergency patch was applied to a critical database server over the weekend without going through the formal review process. The patch resolved a known vulnerability, but no one updated the network diagrams, configuration baselines, or related policy documents afterward. Two weeks later, a junior administrator attempts to troubleshoot a connectivity issue and makes incorrect assumptions about the server's configuration based on the outdated documentation. The incident causes a two-hour service outage. Which documentation requirement within the change management process, if followed, would have MOST directly prevented the confusion that led to the outage?

A. Updating policies/procedures B. Maintaining a backout plan C. Updating diagrams D. Version control

Question 3

A penetration tester is reviewing the data handling practices of an e-commerce company as part of a compliance engagement. She discovers that when customer service representatives view customer orders on their internal portal, the full credit card number — for example, 4111 1111 1111 1111 — is displayed on screen as 4111 **** **** 1111. The original card number is stored in the production database and is never transmitted to the display layer in full. The development team implemented this behavior specifically so that support staff cannot view or capture the full card number during their work. Which data protection method is being described?

A. Tokenization B. Encryption C. Data masking D. Hashing

Question 4

The CISO of a multinational retail organization is working with legal counsel to evaluate a proposed cloud migration plan. The organization operates in the European Union and collects personal data from EU residents. Legal counsel advises that under applicable privacy regulations, EU customer data cannot be stored on servers physically located outside the European Economic Area unless specific contractual and technical safeguards are in place. The cloud provider being evaluated operates its primary data centers in the United States and Southeast Asia. Which concept MOST directly drives the legal team's concern about where the data is stored?

A. Data retention B. Data classification C. Data sovereignty D. Geolocation tagging

Question 5

A software development team at a healthcare technology company is preparing to test a newly built patient scheduling module. The QA environment does not meet HIPAA security requirements, and the compliance team has prohibited the use of real patient data in testing. However, the developers need realistic datasets that preserve the structure of actual records — including field lengths, date formats, and name conventions — so that edge cases can be properly tested. The security architect must recommend a technique that produces safe, realistic test data without exposing protected health information. Which technique BEST meets this requirement?

A. Encryption B. Tokenization C. Hashing D. Data masking

Question 6

A security engineer at a mid-sized logistics company is reviewing how customer shipment records are handled as they move through various stages of the business workflow. At one point during processing, the records are loaded into memory by the company's shipment tracking application, where they are actively read, updated, and referenced in real time by the application logic. The engineer is concerned that a sophisticated attacker who has gained access to the application server could exploit this stage to capture data before it is written back to disk. Which data state presents the risk the engineer is describing?

A. Data at rest B. Data in transit C. Data in use D. Data in archive

Question 7

A database administrator at an insurance company discovers that the organization's legacy claims database stores user passwords as unsalted MD5 hashes. A threat researcher informs the security team that MD5 is susceptible to precomputed rainbow table attacks, meaning an attacker who obtains the database could rapidly reverse millions of hashed passwords using publicly available tools. The security team asks the DBA what should be added to the password storage process immediately to defeat rainbow table attacks specifically. Which technique directly addresses the rainbow table threat?

A. Key stretching using PBKDF2 B. Salting C. Tokenization D. Full-disk encryption

Question 8

Your organization recently adopted a cloud-first strategy and has migrated several workloads to a public cloud provider. During a risk review, the security team identifies that customer financial records are stored in a cloud database, transmitted via API calls to a reporting dashboard, and actively processed by an analytics engine running in the cloud. The team wants to ensure the appropriate protection method is applied to each stage of the data lifecycle. For the records that are currently sitting idle in the cloud database and not being accessed, which protection method is MOST appropriate?

A. TLS encryption for data in transit B. Tokenization for data in use C. Encryption for data at rest D. Data masking for data in use

Question 9

A security architect at a global pharmaceutical company is designing the data handling policy for clinical trial data. Some of this data includes personally identifiable information about trial participants, proprietary drug formulas, and results that are subject to FDA reporting requirements. The architect must assign the correct data classification to each category so that access controls, encryption standards, and handling procedures can be tailored appropriately. The proprietary drug formula data, if disclosed to competitors, would cause severe and irreversible harm to the company's market position. Which data classification BEST applies to the proprietary drug formula data?

A. Private B. Sensitive C. Public D. Restricted

Question 10

A compliance officer at a financial institution is reviewing a third-party vendor's data handling practices. The vendor processes payment card data on behalf of the institution and stores transaction records in its own database. During the review, the officer learns that the vendor replaces each customer's 16-digit card number with a randomly generated value that bears no mathematical relationship to the original number. The original card number is stored separately in a secure vault managed by the vendor, and the surrogate value is what flows through the vendor's transaction processing systems. Which data protection method is the vendor using, and what is its PRIMARY security advantage over encryption?

A. Hashing; it is irreversible and cannot be decrypted B. Data masking; it preserves the display format without revealing sensitive data C. Tokenization; the surrogate value is useless to an attacker without vault access D. Salting; it prevents rainbow table attacks against stored card numbers

CompTIA Security+ Practice Test of the Day 260314

ByThe Test Master

Related Post

CompTIA Security+ Practice Test of the Day 260410

CompTIA Security+ Practice Test of the Day 260409

CompTIA Security+ Practice Test of the Day 260408

Leave a Reply Cancel reply

You missed

CEH v13 Domain 7.1 Practice Test 002

CEH v13 Domain 6.1 Practice Test 002

CEH v13 Domain 5.3 Practice Test 002

CEH v13 Domain 5.2 Practice Test 002