Welcome to today’s practice test!
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a global enterprise is implementing a Zero Trust architecture. Which component is responsible for evaluating access based on real-time evaluation of policies, identities, and context?
#2. An attacker is attempting to exploit a race condition between file access checks and file use in a Linux application. What type of vulnerability is being exploited?
#3. A company classifies its risk appetite as conservative. Which action aligns BEST with this approach when evaluating a medium-likelihood, high-impact threat?
#4. A global enterprise is developing security training content. Which of the following is MOST important to include to support international compliance efforts?
#5. A third-party software provider has access to sensitive customer data. What is the BEST way to ensure continued compliance and accountability over time?
#6. During a tabletop exercise, the IR team discovers their RTO is longer than their stated objective. What is the immediate next step?
#7. A security engineer deploys a host-based intrusion prevention system (HIPS) in a zero-trust environment. Which characteristic BEST defines this deployment?
#8. Which control BEST supports enforcement of just-in-time (JIT) privileged access?
#9. What is the MOST appropriate method to ensure expired data is irrecoverable from decommissioned SSDs?
#10. A penetration tester discovers a misconfigured public S3 bucket. What is the MOST critical risk?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | B | In a Zero Trust architecture, the Policy Engine (PE) is the core component that takes all available information (user identity, device posture, location, threat intelligence, etc.) and, based on predefined policies, performs the real-time evaluation to make the decision of whether to allow or deny an access request. The Policy Enforcement Point (PEP) is responsible for enforcing the decision made by the Policy Engine. It executes the allow or block action, but it doesn’t perform the evaluation or decision-making itself. An Identity Provider (IdP) is responsible for authenticating users (verifying their identity). While crucial for providing identity information to the Policy Engine, it doesn’t make the access decision based on all contextual factors in a Zero Trust model. A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on predefined security rules. While firewalls can act as Policy Enforcement Points, they are a general network security tool, not the specific component responsible for the comprehensive, dynamic evaluation and decision-making within a Zero Trust architecture. |
| 2 | A | Time-of-Check to Time-of-Use (TOC/TOU) is a specific type of race condition vulnerability. It occurs when a system’s access decision (the “time of check”) is made based on the state of a resource, but that resource’s state changes before it is actually used (the “time of use”). An attacker exploits this window to perform unauthorized actions. The description “race condition between file access checks and file use” perfectly matches this. DLL (Dynamic Link Library) injection involves injecting code into a running process by forcing it to load a malicious DLL. This is a method of code execution, unrelated to timing vulnerabilities in file access. A buffer overflow occurs when a program tries to write more data into a fixed-size memory buffer than it can hold, leading to data corruption or code execution. This is a memory-based vulnerability, not a timing-based one. Command injection occurs when an application executes user-supplied input as system commands without proper sanitization. This is an input validation vulnerability, not a race condition related to file access. |
| 3 | C | For a company with a conservative risk appetite facing a high-impact threat, the most aligned action is to avoid the risk if at all possible. This means eliminating the activity or process that gives rise to the threat, thereby completely preventing the potential for high impact. It represents the strongest form of risk mitigation. Accepting a high-impact threat (even if medium likelihood) goes against a conservative risk appetite, as it means directly bearing the potential negative consequences. While transferring risk (e.g., through insurance) can be part of a conservative strategy, it doesn’t eliminate the risk itself, merely shifts the financial burden. Avoiding the risk entirely is a more conservative approach if feasible. Monitoring the risk without taking immediate action is a form of acceptance and is not sufficiently proactive for a high-impact threat when the risk appetite is conservative. |
| 4 | C | For a global enterprise, localized legal and regulatory requirements are paramount for international compliance. Different countries and regions (e.g., EU with GDPR, various Asian countries with their own data privacy laws) have distinct legal obligations. Security training must specifically address these diverse, legally binding rules to ensure the company avoids non-compliance penalties and operates lawfully across its international footprint. NIST provides excellent security frameworks and guidelines, but is primarily US-centric. While valuable for building a robust security program, they are generally not the specific, legally binding international compliance requirements themselves. Data classification is an internal process and a tool to help manage sensitive information. While it supports compliance by ensuring proper data handling, it is not the most important inclusion for directly addressing international legal and regulatory obligations in training content. Password complexity enforcement is a specific technical security control. While important for security, it is a single security measure and not the primary focus for comprehensive “international compliance efforts” in a training curriculum. |
| 5 | D | To ensure continued compliance and accountability over time with a third-party software provider that has access to sensitive customer data, regular security audits are the BEST way. Audits provide independent verification that the provider is adhering to agreed-upon security controls, policies, and regulatory requirements (like HIPAA, GDPR, etc.) on an ongoing basis. This directly addresses the “continued compliance and accountability” aspect. Static code analysis is a development-phase activity that checks code for vulnerabilities before deployment. While important for initial security, it’s not a mechanism for ensuring continued compliance and accountability over time of a deployed third-party service or its operational security practices. Requiring security training for the third-party’s employees is a good measure to improve their awareness. However, training alone doesn’t ensure compliance or provide accountability through verification of their actual security posture and practices over time. Audits do. Rotating cryptographic keys is an important security practice for key hygiene and reducing risk. However, it’s a specific technical control that’s part of an overall security program. It doesn’t, by itself, ensure broad “continued compliance and accountability” of a third-party provider’s entire security posture. |
| 6 | A | When an Incident Response (IR) team finds during a tabletop exercise that their actual Recovery Time Objective (RTO) is longer than the business’s stated objective, it means there’s a critical gap between technical recovery capabilities and business requirements. The Business Continuity (BC) team (or relevant business stakeholders/leadership) must be immediately informed. This allows them to assess the impact, understand the discrepancy, and decide on appropriate strategic responses, which might include revising the objective, allocating more resources, or accepting the risk. Initiating disaster recovery is an action taken during an actual disaster to restore operations. A tabletop exercise is a simulation, not a live event requiring actual recovery initiation. An SLA (Service Level Agreement) might need to be updated eventually if the RTO cannot be met or if the business decides to accept a longer RTO. However, this is a subsequent action that would follow the initial notification and business decision-making, not the immediate next step during the exercise findings. Updating firewall rules is a technical security action related to network access control. It is completely unrelated to discovering a discrepancy in RTO during a disaster recovery tabletop exercise. |
| 7 | B | In a Zero Trust environment, the principle is “never trust, always verify.” A Host-based Intrusion Prevention System (HIPS) operates directly on the endpoint. Its ability to perform inline inspection of traffic at endpoints means it can actively monitor, analyze, and block suspicious activity and unauthorized access attempts in real-time right where the activity originates or terminates. This granular, on-device enforcement aligns perfectly with Zero Trust’s pervasive verification model. While HIPS can utilize signature-based detection, this describes a method of detection, not the defining characteristic of its deployment in a Zero Trust environment. Zero Trust emphasizes proactive prevention and verification, often going beyond just signatures. NetFlow telemetry is a network-level data source, typically collected by network devices (like routers or switches) to analyze traffic flows. It provides high-level insights but doesn’t involve the deep, inline inspection and prevention at the host level that defines a HIPS deployment. While an endpoint might be on a wireless network, a HIPS’s primary function is to secure the host itself, regardless of the network type. Monitoring the wireless network infrastructure is a separate function, typically performed by wireless IDS/IPS or network monitoring tools. |
| 8 | B | Privileged Access Management (PAM) solutions are specifically designed to manage, monitor, and secure privileged accounts. A core capability of modern PAM systems is to enable just-in-time (JIT) access, ensuring that elevated privileges are granted only when necessary, for a defined period, and then automatically revoked. This directly supports the enforcement of JIT privileged access. Role-based access control (RBAC) assigns permissions based on a user’s role, but it doesn’t inherently provide the dynamic, temporary granting and revocation characteristic of JIT access. Privileges assigned via RBAC are typically persistent. Group Policies are used for configuring security settings and user rights within an organization (common in Windows). While they define what privileges a user can have, they do not dynamically grant and revoke those privileges on a just-in-time basis. Endpoint Detection and Response (EDR) systems monitor and respond to threats on endpoints. They are primarily a detective and response control, not a system for managing or enforcing privileged access. |
| 9 | B | For SSDs (Solid State Drives), the secure erase function (often a built-in command executed via the manufacturer’s tool or specialized software) is the MOST appropriate and effective method to render data irrecoverable. This command tells the SSD’s controller to erase all data blocks internally, effectively resetting the drive and making previous data inaccessible and unrecoverable by standard means. Low-level formatting is generally a legacy term that doesn’t apply effectively to modern SSDs in the same way it did to HDDs. It can damage an SSD or not fully sanitize data due to wear leveling and over-provisioning. Logical deletion (e.g., emptying the recycle bin, deleting a file normally) only removes pointers to the data, making the space available for new data, but the old data remains on the drive until overwritten. It provides no actual data sanitization. Degaussing works by destroying magnetic domains on traditional HDDs. SSDs use flash memory (NAND) and are not magnetic, so degaussing has no effect on them. |
| 10 | A | A misconfigured public S3 bucket, by its nature, means that the default security settings have been altered to allow public access. The most critical risk stemming from this is that unauthorized individuals can read sensitive data stored in the bucket (e.g., customer records, intellectual property) and/or write malicious content to it, potentially leading to data breaches, data tampering, or the hosting of malware. While lack of encryption at rest is a security concern, an S3 bucket can be encrypted at rest (SSE-S3, KMS, etc.) even if it’s publicly accessible. The primary and most direct risk of a misconfigured public bucket is the access control issue, not necessarily the encryption status. An attacker gaining read access means they can download data, encrypted or not, if they have the keys or if the data is unencrypted. The public exposure is the immediate and critical risk. DNS hijacking involves redirecting domain names to malicious IP addresses. This is a separate type of attack that targets DNS infrastructure, not a direct consequence of a misconfigured S3 bucket. SQL injection is a web application vulnerability that exploits improper input validation in SQL queries. S3 buckets are object storage, not relational databases, and thus are not susceptible to SQL injection. |