Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 4.1 (Given a scenario, apply common security techniques to computing resources) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a large enterprise is configuring new laptops for employees. Which of the following is the most appropriate first step in establishing a secure baseline?
#2. An IT team deploys a new switch. What security control should be enabled to prevent unauthorized devices from connecting to the network?
#3. A SOC analyst needs to ensure that scripts and executables on a critical server are not modified. What technique should be used?
#4. Which of the following MDM deployment models gives employees the most flexibility but poses the greatest security challenge?
#5. A company is preparing to deploy embedded IoT sensors in a remote facility. What should be considered during hardening?
#6. Which of the following provides the strongest authentication method for wireless access in an enterprise environment?
#7. A developer wants to ensure that a mobile app hasn’t been altered after being published. What should they use?
#8. During a wireless deployment, which tool helps determine optimal access point placement?
#9. Which of the following hardening techniques is most appropriate for ICS/SCADA environments?
#10. Which of the following best supports managing software versions and patch compliance across a server fleet?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | D | A security administrator at a large enterprise is configuring new laptops for employees. Which of the following is the most appropriate first step in establishing a secure baseline? A. Configure antivirus software (Incorrect): While essential, configuring antivirus is one of many steps in hardening. It’s usually part of what’s already done in a hardened image, or it’s installed and configured immediately after the base OS is secure. It’s not the first step in establishing the entire baseline for multiple new devices. B. Disable unnecessary services (Incorrect): This is a critical step in hardening a system. However, it’s typically a task performed during the creation of a hardened master image, rather than the very first step when configuring individual new laptops in an enterprise setting. C. Apply the latest operating system patches (Incorrect): Applying patches is also a vital hardening step. Like disabling services, this is usually incorporated into the creation of a hardened master image to ensure all new deployments are up-to-date from the start. It’s not the first step for each new laptop if an enterprise strategy is used. D. Clone a hardened master image (Correct): When configuring multiple new laptops in a large enterprise, the most appropriate first step to establish a secure baseline is to clone a hardened master image. A hardened master image is a pre-configured operating system installation that already has security best practices applied (e.g., unnecessary services disabled, patches applied, antivirus pre-installed, security policies configured). Cloning this image ensures consistency, efficiency, and a uniform secure starting point across all new devices. |
| 2 | C | An IT team deploys a new switch. What security control should be enabled to prevent unauthorized devices from connecting to the network? A. WPA3 (Incorrect): WPA3 is a security protocol for securing wireless networks (Wi-Fi). It is not relevant for preventing unauthorized devices from connecting to a new switch (which implies a wired network connection). B. MAC filtering (Incorrect): While MAC filtering (allowing or blocking devices based on their MAC address) can be configured on some network devices, port security is the more specific and robust feature on a switch designed for this purpose, often including features like sticky MAC and violation actions (e.g., shutting down the port). MAC filtering on its own is often easily bypassed by MAC spoofing unless combined with stronger controls like port security. C. Port security (Correct): Port security is a switch feature that allows an administrator to control which devices (based on their MAC addresses) can connect to specific switch ports. It can limit the number of MAC addresses allowed per port or bind specific MAC addresses to a port, preventing unauthorized devices from connecting if they don’t match the allowed configuration. D. SNMPv2 (Incorrect): SNMPv2 (Simple Network Management Protocol version 2) is a protocol used for monitoring and managing network devices. While it has some security features, it is not a control for preventing unauthorized devices from connecting to the network. It’s for managing the switch itself. |
| 3 | A | A SOC analyst needs to ensure that scripts and executables on a critical server are not modified. What technique should be used? A. File integrity monitoring (Correct): File integrity monitoring (FIM) involves continuously monitoring critical system files, configuration files, scripts, and executables for unauthorized changes. By calculating and comparing hashes of these files at regular intervals, FIM can detect any modifications, deletions, or additions, which directly addresses the need to ensure scripts and executables are not modified. B. Input validation (Incorrect): Input validation is a software development practice used to ensure that user-supplied data conforms to expected formats and ranges, preventing vulnerabilities like SQL injection or XSS. It’s about protecting against malformed input, not detecting modifications to existing files. C. Static code analysis (Incorrect): Static code analysis examines source code or compiled code before it runs to find potential vulnerabilities or flaws. It’s a development-phase quality assurance tool, not a technique for detecting unauthorized modifications to deployed executables and scripts in a running environment. D. Application whitelisting (Incorrect): Application whitelisting allows only pre-approved applications (based on hashes, signatures, etc.) to run on a system, blocking all others. While it prevents unauthorized executables from running, it doesn’t detect if an existing, approved script or executable has been modified after it was initially whitelisted. FIM is designed for that detection. |
| 4 | C | Which of the following MDM deployment models gives employees the most flexibility but poses the greatest security challenge? A. CYOD (Choose Your Own Device) (Incorrect): CYOD allows employees to choose from a limited list of company-approved and provided devices. While offering some flexibility, the devices are still corporately owned and managed, giving the company more control than BYOD. B. COPE (Corporate-Owned, Personally Enabled) (Incorrect): COPE involves devices that are corporate-owned but allow some personal use. The company retains significant control over the device’s security configuration, making it less challenging than BYOD. C. BYOD (Bring Your Own Device) (Correct): BYOD allows employees to use their personal devices (smartphones, tablets, laptops) for work purposes. This offers the most flexibility for employees as they use devices they are already familiar with and prefer. However, it also poses the greatest security challenge because the company has less control over the device’s security posture, software, personal data, and compliance with corporate policies. D. Corporate-owned (Incorrect): Corporate-owned devices offer the least flexibility to employees but provide the company with the most control and the fewest security challenges, as the company dictates all aspects of device usage and security. |
| 5 | C | A company is preparing to deploy embedded IoT sensors in a remote facility. What should be considered during hardening? A. Site survey (Incorrect): A site survey is a pre-deployment planning activity to assess the environment, network coverage, and physical conditions. It is not a step in the hardening of the sensor itself. B. Static code analysis (Incorrect): Static code analysis is a software development phase activity used to identify vulnerabilities in the source code of the sensor’s firmware before it’s deployed. It’s a security best practice for building secure software, not a hardening action applied to a deployed device. C. Disabling unused services (Correct): Hardening a system involves reducing its attack surface. Embedded IoT sensors often come with various default services or features enabled that are not essential for their specific function. Disabling these unused services, ports, and protocols removes potential entry points for attackers and is a fundamental step in securing any device, especially embedded systems in remote locations. D. WPA2-Enterprise (Incorrect): WPA2-Enterprise is a standard for securing wireless network connections. While essential for the secure communication of the IoT sensor in a remote facility, it is a network security configuration, not a direct hardening action applied to the internal operating system or software of the embedded IoT sensor itself. |
| 6 | D | Which of the following provides the strongest authentication method for wireless access in an enterprise environment? A. WEP (Incorrect): WEP (Wired Equivalent Privacy) is an outdated and highly insecure wireless security protocol with known vulnerabilities that can be easily exploited. It offers virtually no real protection. B. WPA2-PSK (Incorrect): WPA2-PSK (Pre-Shared Key) is commonly used in home networks. While more secure than WEP, it relies on a single password shared among all users. If this key is compromised, the entire network is vulnerable. It lacks the individual user authentication and scalability needed for enterprise security. C. WPA3-Personal (Incorrect): WPA3-Personal (also known as WPA3-SAE) is an improvement over WPA2-PSK for home use, offering stronger key exchange and brute-force protection. However, like WPA2-PSK, it still relies on a single shared password for the network, making it unsuitable for the granular, individual authentication requirements of an enterprise. D. WPA3-Enterprise with RADIUS (Correct): WPA3-Enterprise with RADIUS (Remote Authentication Dial-In User Service) provides the strongest authentication for an enterprise environment. It uses 802.1X for authentication, requiring users or devices to authenticate individually (e.g., with unique usernames/passwords or certificates) against a central RADIUS server. This offers strong, often certificate-based, authentication, per-user encryption keys, and robust scalability, which are critical for enterprise security. |
| 7 | C | A developer wants to ensure that a mobile app hasn’t been altered after being published. What should they use? A. Secure cookies (Incorrect): Secure cookies are used to protect session data in web applications by ensuring cookies are only transmitted over encrypted connections. They are irrelevant for verifying the integrity of a mobile app after it’s published. B. Static code analysis (Incorrect): Static code analysis examines source code or compiled code before it runs (typically during development) to find vulnerabilities or bugs. It’s a development-time tool for quality assurance and security, not a mechanism to detect post-publication alterations. C. Code signing (Correct): Code signing involves digitally signing the mobile application (or its executable code) using a private key. When the app is downloaded or installed, the operating system (or app store) can verify this signature using the corresponding public key. If the app has been altered even slightly after it was signed, the signature validation will fail, indicating tampering. This directly ensures the app’s integrity after publication. D. TLS (Incorrect): TLS (Transport Layer Security) is a protocol used to encrypt communication over a network (like HTTPS). While important for securely downloading the app, it doesn’t verify the app’s integrity after it has been downloaded and potentially altered on the user’s device. |
| 8 | A | During a wireless deployment, which tool helps determine optimal access point placement? A. Heat map (Correct): A heat map (specifically, a Wi-Fi heat map) is generated using a site survey tool. It visually represents the signal strength and coverage areas of wireless access points across a physical space. This is precisely what’s needed to determine the most effective locations for access points to ensure optimal coverage and minimize dead zones. B. VPN client (Incorrect): A VPN (Virtual Private Network) client is software used to establish a secure, encrypted connection to a private network over a public one. It’s for secure remote access, not for planning wireless signal coverage. C. Firewall (Incorrect): A firewall is a network security device that monitors and filters network traffic. It’s used for enforcing security policies, not for determining optimal wireless access point placement. D. Port scanner (Incorrect): A port scanner is a tool used to identify open ports on a network host, often for vulnerability assessment. It’s used for discovering network services, not for assessing wireless signal strength or coverage. |
| 9 | D | Which of the following hardening techniques is most appropriate for ICS/SCADA environments? A. Automatic patching (Incorrect): While patching is vital, automatic patching is generally not the most appropriate technique for ICS/SCADA. These environments demand highly controlled change management processes due to their real-time, often safety-critical nature. Unforeseen side effects from automatic patches can cause operational disruptions or system instability, making manual, carefully planned, and tested patching the preferred approach. B. Host-based firewalls (Incorrect): While host-based firewalls can add a layer of security, traditional ICS/SCADA systems often rely more heavily on network segmentation (e.g., using industrial firewalls between zones) and dedicated, isolated networks. Applying complex host-based firewalls to legacy or resource-constrained ICS devices can introduce performance issues or complicate management, and it’s generally not the most appropriate or primary hardening technique compared to physical port control. C. Code obfuscation (Incorrect): Code obfuscation is a technique used to make code harder to understand or reverse-engineer. While it can be part of protecting intellectual property or hindering analysis of malware, it’s a software development technique and not a general hardening technique applied to deployed ICS/SCADA systems for operational security. D. Disabling USB ports (Correct): In ICS/SCADA environments, physical security and control over external interfaces are paramount. Disabling unused or unnecessary USB ports is a crucial hardening step because it prevents unauthorized physical access, the introduction of malware via USB drives, and data exfiltration, all of which are significant threats to these critical systems. ICS/SCADA systems often require a highly controlled environment due to their operational criticality and sensitivity to disruptions. |
| 10 | D | Which of the following best supports managing software versions and patch compliance across a server fleet? A. Group Policy (Incorrect): Group Policy is primarily used in Windows environments to manage user and computer settings, including some software deployment and patch settings. While useful, it’s typically less flexible and scalable for managing diverse software versions and patch compliance across a large, potentially heterogeneous server fleet compared to dedicated configuration management tools. B. Secure baseline (Incorrect): A secure baseline is a documented security configuration for a system. While a configuration management tool helps enforce a secure baseline, the baseline itself is the standard, not the tool that manages software versions and patch compliance. C. SIEM (Incorrect): A Security Information and Event Management (SIEM) system collects, aggregates, and analyzes security logs and events. It’s used for security monitoring, threat detection, and incident response, not for managing software versions or deploying patches. D. Configuration management tool (Correct): A configuration management tool (e.g., Ansible, Chef, Puppet, SaltStack) is specifically designed to automate the deployment, management, and updating of software and configurations across a large fleet of servers. This includes defining desired software versions, ensuring patches are applied, and verifying compliance with baselines, making it the best solution for this task. |