CompTIA Security+ Practice Test of the Day 260428

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 1.4 (Explain the importance of using appropriate cryptographic solutions.) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260429

10 questions • Single best answer

Question 1

A security engineer at a defense contractor is hardening a fleet of employee laptops used to access classified systems. The engineer needs to ensure that cryptographic keys are bound to the hardware so they cannot be extracted if a device is lost or stolen. The solution must be a dedicated chip embedded directly in the motherboard and require no external hardware. Which technology BEST fulfills this requirement?

A. Hardware Security Module (HSM) B. Trusted Platform Module (TPM) C. Key management system (KMS) D. Secure enclave

Question 2

A financial institution is rolling out full-disk encryption across all employee workstations to protect sensitive customer data. The legal team has mandated that the organization must retain the ability to decrypt any workstation if an employee leaves abruptly without surrendering their passphrase. The security architect must select a cryptographic control that satisfies this legal requirement. Which practice BEST meets this need?

A. Certificate revocation B. Hashing C. Key escrow D. Key stretching

Question 3

A software vendor distributes firmware updates to thousands of IoT devices deployed across customer facilities. After an incident in which tampered firmware was installed on a subset of devices, the security team needs a mechanism to prove both the authenticity of the vendor and the integrity of each update package before installation. Which cryptographic solution BEST addresses this requirement?

A. Symmetric encryption of the update package B. Salting the firmware binary before distribution C. Storing the firmware signing key on a hardware security module (HSM) D. Digital signatures

Question 4

A DevOps team at an e-commerce company is configuring application servers to validate the revocation status of TLS certificates used by third-party payment processors. The security team wants a solution that provides real-time revocation checking without requiring clients to download large, periodically refreshed revocation files. Which mechanism BEST satisfies this requirement?

A. Online Certificate Status Protocol (OCSP) B. Certificate Revocation List (CRL) C. Certificate Signing Request (CSR) renewal D. Self-signed certificate

Question 5

After a data breach, a forensic team discovers that attackers cracked a large percentage of stolen password hashes by running them against a precomputed rainbow table. The affected system applied SHA-256 to each password with no additional processing before storage. Which countermeasure would MOST directly defeat rainbow table attacks against future stored password hashes?

A. Replacing SHA-256 with a computationally slower algorithm B. Appending a unique, randomly generated value to each password before hashing C. Encrypting the entire hash database with AES-256 D. Enforcing a minimum password length of 16 characters

Question 6

A development team building a new web application wants to store user passwords such that a compromised database provides minimal value to an attacker attempting a dictionary attack. The security lead recommends an algorithm that deliberately applies the core hash function thousands of times in sequence to make each password verification attempt computationally expensive. Which cryptographic technique does this describe?

A. Salting B. Tokenization C. Key stretching D. Data masking

Question 7

A retail company is achieving PCI DSS compliance and needs to ensure that real payment card numbers are not retained in its transaction database after purchases are processed. The solution must also allow the company to reference the original card number for future chargebacks and refunds without storing the card number in plaintext or in any reversible encrypted form within the database. Which data protection technique BEST satisfies both requirements?

A. Full-disk encryption of the database server B. Hashing card numbers with SHA-256 before storage C. Steganography D. Tokenization

Question 8

A SaaS company is expanding its platform and currently hosts applications on app.example.com, api.example.com, and portal.example.com. The operations team wants to issue a single TLS certificate that automatically covers all current subdomains and any new subdomains added under example.com in the future, without requiring reissuance each time. Which certificate type BEST meets this requirement?

A. Wildcard certificate B. Self-signed certificate C. Root certificate D. Certificate Signing Request (CSR)

Question 9

A network security student analyzing a TLS 1.3 packet capture observes that the handshake phase uses asymmetric cryptography to establish a shared secret, after which all application data is encrypted using AES-256-GCM. The student is asked why the protocol switches algorithms mid-session rather than using asymmetric encryption throughout. What is the PRIMARY reason for this hybrid design?

A. Asymmetric algorithms cannot provide data confidentiality and are only suitable for authentication B. Symmetric encryption is dramatically faster than asymmetric encryption and is better suited for bulk data transfer C. Asymmetric keys expire immediately after the handshake and cannot be reused for session data D. Regulatory frameworks prohibit the use of asymmetric encryption beyond the key exchange phase

Question 10

A digital forensics analyst investigating a suspected insider threat discovers that an employee uploaded hundreds of vacation photo files to a personal cloud account before resigning. Analysis reveals the images are structurally valid JPEG files, but each contains unexpected binary payloads embedded within the pixel data that do not affect the visible image. The analyst suspects sensitive documents were concealed within the photos without any use of traditional encryption. Which obfuscation technique BEST describes this method?