Welcome to today’s practice test!
Today’s practice test is based on subdomain 2.2 (Explain common threat vectors and attack surfaces) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a healthcare organization notices an influx of emails prompting users to click on urgent vaccination appointment links. What type of threat vector is primarily being used?
#2. An attacker embeds malicious code inside a JPEG image, which is then posted on a popular social media platform. What attack vector is involved?
#3. A user connects an unknown USB drive found in a parking lot to their company-issued laptop. What is the primary vector here?
#4. A company uses outdated software that is no longer supported by the vendor. What is the biggest risk associated with this practice?
#5. A security administrator at a mid-sized organization discovers that users are being tricked into visiting a malicious site designed to mimic the company’s login portal. Which type of threat vector does this best represent?
#6. Which of the following best describes an attack surface?
#7. A remote employee connects to corporate systems over public Wi-Fi without using a VPN. This scenario increases risk through which vector?
#8. A developer includes a third-party library in a web app that later turns out to be vulnerable to injection attacks. What threat surface does this impact?
#9. A user reports receiving multiple unsolicited SMS messages with malicious links. What is this an example of?
#10. Which vector involves tricking users into responding to a call from a fake tech support?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | B | The scenario describes emails designed to trick users into clicking links by impersonating a legitimate or urgent source (“urgent vaccination appointment links”). This is the classic definition of phishing, which is a social engineering technique. A voice call (vishing) is a different communication medium than email. The threat vector described is email. While clicking the link could lead to file-based malware, the primary threat vector being exploited to deliver the malicious attempt is the email-based social engineering, which is phishing. The malware is the payload, not the initial vector. Typosquatting involves registering domain names similar to legitimate ones to trick users who misspell a URL. While it can be part of a phishing campaign (e.g., the link in the email uses a typosquatted domain), it’s a domain-related technique, not the primary “email-based social engineering” vector itself. |
| 2 | B | The scenario describes embedding malicious code directly within an image file (JPEG). This is a specific type of attack vector where the image itself acts as the container for the malicious payload, often leveraging techniques like steganography or exploiting image processing vulnerabilities. Thus, it’s an image-based attack. While an image is a file, “file-based” is a broader category that includes all types of malicious files (executables, documents, scripts). “Image-based” is a more specific and accurate description of the vector when an image is specifically used to carry the code. This refers to physical media like USB drives. The attack vector described is social media, not a physical device. This refers to network vulnerabilities on open ports. The attack vector described is a malicious file, not a direct network port exploit. |
| 3 | C | The core of the attack vector is the physical USB drive, which is a type of removable storage device. The malicious content (if any) or exploit is introduced via this physical media. The attack is initiated by a physical connection, not over a wireless network. While “human error” (the user connecting an unknown drive) is the causal factor or a vulnerability that enables the attack, it is not the primary vector itself. The vector is the medium through which the attack is delivered, which is the USB drive. A file-sharing application is a software tool, not the physical medium that delivers the initial threat in this scenario. |
| 4 | C | When software is no longer supported by the vendor, it means they will not release any more security updates or patches. This leaves any newly discovered or existing vulnerabilities in the software unpatched, making the system an easy target for attackers. Outdated software typically has reduced compatibility with newer hardware, not increased. Outdated software doesn’t inherently restrict data flow. Its primary risk is security. Outdated software is unlikely to have enhanced or up-to-date encryption capabilities. Often, its encryption methods may be weaker or outdated themselves. |
| 5 | D | Typosquatting (also known as URL hijacking) involves registering domain names that are intentional misspellings or variations of legitimate website names. The goal is to trick users who mistype a URL or click a link to these malicious, mimicked sites, which perfectly fits the description of “a malicious site designed to mimic the company’s login portal.” A watering hole attack involves compromising a legitimate website that a specific group of users is known to visit, to infect them. It’s about compromising a known good site, not creating a mimicked site. Smishing is phishing carried out via SMS (text messages), not primarily through mimicking websites for direct navigation. BEC is a type of scam, usually email-based, that tricks employees into transferring money or sensitive data by impersonating a high-level executive or trusted vendor. It’s focused on financial fraud through social engineering, not primarily on mimicking login portals via URL variations. |
| 6 | D | The attack surface is the total area where an attacker could potentially gain unauthorized access to a system, network, or data. This includes all entry points, exposed services, human elements (e.g., social engineering vectors), and vulnerabilities that could be exploited. A malicious email campaign is a type of attack or threat vector, not the attack surface itself. While the network perimeter is part of an organization’s attack surface, it’s not the entirety of it. The attack surface also includes internal systems, applications, endpoints, and human elements. A system vulnerability is a weakness that could be part of the attack surface, but it’s not the definition of the attack surface itself. The attack surface encompasses all such vulnerabilities and potential entry points. |
| 7 | A | Connecting to corporate systems over public Wi-Fi without a VPN means the data is transmitted over an unsecure network. Public Wi-Fi is often unencrypted and susceptible to eavesdropping, man-in-the-middle attacks, and other network-based threats, making it a primary risk vector in this scenario. Pretexting is a social engineering technique where an attacker creates a false scenario to trick a victim into divulging information or performing an action. It’s a method of deception, not a network connection type. A file-based attack involves malicious code delivered through files. While possible on any network, the primary risk introduced by the unsecure public Wi-Fi itself is related to the network’s lack of security for data in transit. A removable device refers to physical media like USB drives. The scenario describes a network connection, not the use of a physical device. |
| 8 | B | When a developer includes a third-party library, they are relying on components provided by an external source. If that external source introduces a vulnerability, it impacts the organization’s supply chain security. This means a weakness in a component from a vendor or open-source project can introduce vulnerabilities into your own application. A human vector involves social engineering or human error (e.g., phishing, insider threat). This scenario is about software components, not direct human manipulation. Image-based attacks involve embedding malicious code within images. This is unrelated to vulnerabilities in third-party software libraries. While the vulnerable library might technically be “unsupported” in a sense (if the vendor isn’t patching it), the primary threat surface introduced is due to its origin from a third party being integrated into the application, which is a supply chain issue. An unsupported system refers more broadly to entire systems or operating systems no longer receiving updates. |
| 9 | C | Smishing is a portmanteau of “SMS” and “phishing.” It specifically refers to phishing attacks carried out via text messages (SMS) that attempt to trick users into clicking malicious links, revealing personal information, or downloading malware. Vishing is phishing conducted over voice calls (voice phishing). The scenario specifies SMS messages. Phishing is the broader category of social engineering attacks that try to trick users into revealing information or taking actions. While smishing is a type of phishing, “smishing” is the more specific and accurate term when the vector is SMS messages. Spoofing is the act of disguising communication from an unknown source as being from a known, trusted source (e.g., email spoofing, caller ID spoofing). While spoofing can be part of a smishing attack (e.g., the sender ID is spoofed), it’s a technique used within an attack, not the overall name for SMS attacks with malicious links. |
| 10 | C | Vishing is a portmanteau of “voice” and “phishing.” It specifically refers to phishing attacks conducted over the phone, where attackers use social engineering to trick victims into revealing sensitive information or taking actions, such as responding to a fake tech support call. Smishing is phishing conducted via SMS (text messages). A watering hole attack involves compromising a legitimate website that a target group is known to frequent, to infect them when they visit. “Social proofing” is not a standard term for a threat vector. While attackers use “social proof” (e.g., testimonials, popularity) as a psychological tactic in social engineering, it’s not the name of the vector itself. The correct term for the overall technique is “social engineering.” |