Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 4.2 (Explain the security implications of proper hardware, software, and data asset management) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator notices discrepancies between the organization’s inventory records and actual IT assets deployed across remote offices. Which security implication is most directly associated with failing to maintain accurate asset tracking?
#2. A healthcare provider is decommissioning old servers containing patient records. Which disposal step is required to prevent unauthorized data recovery?
#3. An organization discovers that several employees are using unlicensed software. What is the primary security implication of this practice?
#4. A company classifies customer PII as “Restricted” and R&D documents as “Confidential.” What is the security benefit of classifying assets?
#5. A user connects a personal USB drive to a company workstation, circumventing corporate IT policy. Which risk does this pose?
#6. Which of the following best describes asset enumeration?
#7. Old network switches are stored in an unlocked warehouse without data sanitization. What is the risk?
#8. A company assigns ownership of each IT asset to a specific manager. Why is this important?
#9. A hybrid-cloud environment is missing visibility into SaaS usage by employees. Which security risk does this create?
#10. Why should a company request a destruction certificate when outsourcing asset disposal?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | D | A security administrator notices discrepancies between the organization’s inventory records and actual IT assets deployed across remote offices. Which security implication is most directly associated with failing to maintain accurate asset tracking? A. Increased vulnerability to zero-day attacks: While generally true that poor security posture increases vulnerability, zero-day attacks relate more to unpatched software or unknown exploits, not directly to asset tracking inaccuracies. B. Failure to meet password complexity standards: Password complexity is a policy and configuration issue related to user accounts, not directly linked to the accuracy of IT asset inventory. C. Increased risk of phishing attacks: Phishing attacks are social engineering tactics targeting individuals, primarily through email. Asset tracking inaccuracies don’t directly increase the risk of phishing, though they might hinder response if a compromised asset is involved. D. Difficulty in detecting unauthorized devices: If inventory records are inaccurate, the organization doesn’t have a clear picture of what should be on the network. This makes it extremely hard to identify devices that shouldn’t be there (unauthorized devices), which could be rogue devices, personal devices, or even malicious hardware. |
| 2 | B | A healthcare provider is decommissioning old servers containing patient records. Which disposal step is required to prevent unauthorized data recovery? A. Reformatting the drives and selling them as surplus: Reformatting only deletes the file pointers, not the data itself. Data recovery tools can easily retrieve information from reformatted drives, making this a highly insecure disposal method for sensitive data. B. Physical destruction or certified data sanitization For sensitive data like patient records, simple reformatting is insufficient as data can often be recovered. Physical destruction (shredding, degaussing, pulverizing drives) or certified data sanitization (using specialized software/hardware to overwrite data multiple times to government standards) are the only reliable methods to prevent unauthorized data recovery. C. Moving them to cold storage for 2 years: This does not dispose of the data; it merely moves the storage location. The data remains recoverable and still poses a risk if the cold storage isn’t adequately secured. D. Retaining only paper copies of all records: This is a record-keeping decision, not a data disposal method for electronic records. It also introduces new risks associated with paper document security. |
| 3 | B | An organization discovers that several employees are using unlicensed software. What is the primary security implication of this practice? A. Increased patching cycle efficiency: Unlicensed software is typically not part of an organization’s patching management system, making it less efficient and often impossible to patch, leading to more vulnerabilities. B. Potential introduction of malicious or unsupported software: Unlicensed software often comes from untrusted sources, potentially bundling malware, spyware, or viruses. Even if it doesn’t contain explicit malware, it’s unsupported, meaning it won’t receive security updates or patches, leaving vulnerabilities unaddressed. C. Stronger software vendor support: Using unlicensed software means the organization has no legitimate relationship with the vendor, thus no support. In fact, it could lead to legal action from the vendor. D. Reduced attack surface: An attack surface is reduced by having fewer vulnerabilities or less exposed functionality. Unlicensed software, particularly if unpatched or malicious, increases the attack surface. |
| 4 | A | A company classifies customer PII as “Restricted” and R&D documents as “Confidential.” What is the security benefit of classifying assets? A. Enables risk-based security controls: Classifying assets (e.g., Restricted, Confidential) allows an organization to understand the sensitivity and value of its data. This understanding directly informs the implementation of appropriate and proportionate risk-based security controls. For example, “Restricted” data will likely require stronger access controls, encryption, and monitoring than less sensitive data. B. Eliminates the need for encryption: Classification does not eliminate the need for encryption; rather, it often identifies which assets (like “Restricted” PII) absolutely require encryption. C. Automatically enforces endpoint detection: Asset classification is a policy and planning activity. While it might inform the deployment of tools like Endpoint Detection and Response (EDR), it doesn’t automatically enforce them. EDR tools are separate technical controls. D. Reduces need for user training: Asset classification actually increases the need for user training. Employees must understand the classification levels and their responsibilities in handling data appropriately according to its classification. |
| 5 | B | A user connects a personal USB drive to a company workstation, circumventing corporate IT policy. Which risk does this pose? A. Inability to encrypt enterprise data: Connecting a personal USB drive doesn’t inherently prevent or cause an inability to encrypt enterprise data. Encryption capabilities are usually managed by enterprise-level solutions. B. Increased risk of data exfiltration or malware introduction: Data Exfiltration: A personal USB drive can easily be used to copy sensitive company data off the workstation, leading to data loss or compromise. Malware Introduction: Conversely, the personal USB drive itself might be infected with malware (viruses, ransomware, spyware) that can then infect the company workstation and potentially spread across the network. C. Stronger endpoint device resilience: Connecting unauthorized devices generally weakens endpoint device resilience by introducing uncontrolled variables and potential vulnerabilities, rather than strengthening it. D. Improved USB device accountability: This action reduces accountability. Personal, unauthorized devices are not tracked or managed by corporate IT, making it impossible to audit their usage or control their contents. |
| 6 | D | Which of the following best describes asset enumeration? A. Tracking the number of active security incidents: This is part of incident response and security operations, not asset enumeration. B. Reviewing firewall rule configurations: This is a part of network security auditing or firewall management, focusing on specific security controls rather than the discovery of all assets. C. Identifying social engineering attack patterns: This relates to threat intelligence, security awareness, and incident analysis, focusing on human-centric attacks rather than technical asset discovery. D. Discovering and documenting all IT assets for monitoring Asset enumeration (or asset discovery/inventory) is the process of identifying, scanning, and documenting every piece of hardware and software (servers, workstations, network devices, applications, data, etc.) within an organization’s environment. This comprehensive list is crucial for effective security monitoring, vulnerability management, and compliance. |
| 7 | A | Old network switches are stored in an unlocked warehouse without data sanitization. What is the risk? A. Unauthorized recovery of configuration data or credentials: Network switches, even if old, often store sensitive configuration data, access logs, network maps, and potentially even cached credentials (e.g., SNMP community strings, administrative passwords, routing table entries) in their non-volatile memory. Storing them in an unlocked warehouse without data sanitization means this sensitive information could be easily accessed and recovered by unauthorized individuals. B. Increased power consumption: Stored, old switches are typically powered off, so they wouldn’t increase power consumption. Even if powered on, their power consumption wouldn’t be a security risk in this context. C. Increased wireless interference: Network switches are typically wired devices. While some might have wireless management capabilities, simply storing them wouldn’t inherently increase wireless interference for the active network. D. Slow response time for patching: Patching applies to active, operational devices. Stored, decommissioned switches are not part of the active network and thus do not affect patching response times for current infrastructure. |
| 8 | A | A company assigns ownership of each IT asset to a specific manager. Why is this important? A. It ensures accountability for security and maintenance: Assigning ownership means a specific individual (the manager) is made responsible for the asset’s security, proper use, maintenance, and adherence to policies throughout its lifecycle. This clarifies roles and responsibilities and drives better security practices. B. It reduces license costs: Asset ownership helps with tracking, which might indirectly help optimize license usage, but its primary purpose is accountability, not cost reduction. License management is a separate, though related, process. C. It eliminates insider threats: While clear ownership can help manage risks, it does not eliminate insider threats, which can arise from various motivations and vulnerabilities regardless of asset ownership. D. It improves password strength: Password strength is controlled by security policies, technical configurations, and user training, not directly by assigning asset ownership. |
| 9 | A | A hybrid-cloud environment is missing visibility into SaaS usage by employees. Which security risk does this create? A. Shadow IT resulting in unknown attack surfaces: Shadow IT refers to IT systems, solutions, or services used within an organization without explicit organizational approval. When employees use unmonitored SaaS applications, it creates “shadow IT,” which leads to an unknown attack surface. This means the organization doesn’t know what data is being stored, how it’s secured, or who has access, making it vulnerable to attacks through these unmanaged services. B. Weak password complexity requirements: While weak passwords are a security risk, the lack of visibility into SaaS usage itself doesn’t directly create weak password requirements. It means the organization can’t enforce its own requirements on those unmonitored services. C. Insecure physical server room access: This relates to physical security controls for on-premise infrastructure. SaaS is a cloud-based service, so this risk is not directly related to SaaS usage visibility. D. Lack of regular security awareness training: While critical for overall security, lack of visibility into SaaS usage doesn’t directly create a lack of training. It’s a separate control that, if absent, could exacerbate the risks of shadow IT. |
| 10 | C | Why should a company request a destruction certificate when outsourcing asset disposal? A. To prove the devices were recycled environmentally: While a disposal vendor might also provide an environmental recycling certificate, the destruction certificate specifically focuses on data security, not just environmental practices. Both are important but serve different purposes. B. To increase network segmentation: Network segmentation is a design principle for active networks that separates different network zones to control traffic flow. It has no relation to the disposal of old assets. C. To prove that data was securely erased or destroyed: A destruction certificate (or certificate of sanitization/eradication) provides documented proof from the disposal vendor that sensitive data on the assets (e.g., hard drives, solid-state drives) was securely wiped, degaussed, or physically destroyed according to established standards. This is crucial for compliance, risk management, and demonstrating due diligence, especially for sensitive data. D. To improve phishing awareness: Phishing awareness is a component of security training for employees. It is unrelated to the physical or data disposal of IT assets. |