Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 4.5 (Given a scenario, modify enterprise capabilities to enhance security.) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a financial institution notices unauthorized outbound connections to IP addresses associated with malicious domains. Which firewall configuration change would best mitigate this issue?
#2. An IDS is generating thousands of false positives from a legitimate backup application. What is the best way to reduce false positives without disabling detection?
#3. A company wants to block access to malicious websites and control employee browsing habits. Which control is best suited?
#4. A company is replacing Telnet with a more secure protocol. Which is the best alternative?
#5. A security team wants to block connections to domains associated with phishing campaigns. Which solution best fits this requirement?
#6. A company is experiencing frequent phishing attacks spoofing its domain name. Which email security control helps verify sending servers and enforce policy on unauthorized messages?
#7. A system admin deploys a tool to detect unauthorized changes to critical operating system files. Which technology is being used?
#8. Which NAC policy action ensures that only devices with updated antivirus and patches can connect to the network?
#9. A SOC notices a user downloading gigabytes of sensitive data at 2 a.m., which is unusual for their profile. What tool best detects this anomaly?
#10. Which firewall architecture is specifically designed to host public-facing services like web servers while protecting internal networks?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | D | A security administrator at a financial institution notices unauthorized outbound connections to IP addresses associated with malicious domains. Which firewall configuration change would best mitigate this issue? A. Allow all traffic on TCP port 80 but block UDP 53: Allowing all outbound HTTP (TCP 80) traffic is often too permissive, and blocking UDP 53 (DNS) could severely impact legitimate network functionality. This isn’t a targeted solution for specific malicious IP addresses and could introduce more vulnerabilities or disrupt services. B. Enable port forwarding for all external requests: Port forwarding allows external requests to reach internal services on specific ports. This is an inbound configuration that typically increases the attack surface by making internal services accessible from the outside. It has no relevance to mitigating unauthorized outbound connections to malicious domains. C. Disable stateful inspection on the firewall: Stateful inspection is a critical security feature that tracks the state of active network connections, allowing the firewall to make intelligent decisions about what traffic to allow or block. Disabling it would significantly weaken the firewall’s security posture and make it less effective against various attacks, including those involving unauthorized outbound connections. D. Implement an egress filtering rule blocking specific IP addresses Egress filtering refers to controlling outbound network traffic from your internal network. By implementing rules to block specific IP addresses associated with malicious domains, the firewall prevents compromised internal systems from communicating with command-and-control servers or exfiltrating data, directly mitigating the observed unauthorized outbound connections. This aligns with the principle of least privilege – only allowing necessary outbound traffic. |
| 2 | B | An IDS is generating thousands of false positives from a legitimate backup application. What is the best way to reduce false positives without disabling detection? A. Disable all intrusion signatures: This would essentially disable the IDS’s ability to detect any threats, leaving the network vulnerable. This is an extreme and unacceptable measure. B. Create an application whitelist exception If a legitimate application is causing numerous false positives, the most effective way to reduce them without disabling detection entirely is to create an exception or whitelist rule for that specific application’s activity within the IDS. This tells the IDS to ignore known, legitimate traffic patterns from that application, allowing it to focus on truly suspicious activities from other sources. C. Remove the IDS from inline mode: While removing an IDS from inline (meaning it only monitors traffic, not blocks it) might stop it from interfering with the backup application if it was actively blocking, it doesn’t reduce the number of alerts (false positives) generated by the monitoring function, which is the core problem described. The question is about reducing false positives, not just stopping blocking. D. Increase bandwidth allocation for backups: Increasing bandwidth might improve the backup application’s performance, but it has no direct bearing on the IDS’s logic for detecting patterns and generating alerts. The IDS is flagging the type of traffic, not the volume. |
| 3 | A | A company wants to block access to malicious websites and control employee browsing habits. Which control is best suited? A. Centralized proxy with URL reputation filtering A proxy server acts as an intermediary for web requests. When combined with URL reputation filtering (or content filtering), it can effectively block access to known malicious websites (based on reputation databases) and enforce policies on employee Browse habits (e.g., blocking access to certain categories of websites like social media or gambling). “Centralized” means it can be managed from one point for all employees. B. NAC appliance (Network Access Control): A NAC appliance controls which devices and users can access the network, based on their compliance with security policies. It’s about network admission, not controlling web Browse or blocking specific malicious websites. C. DNS zone transfer: A DNS zone transfer is a mechanism used to replicate DNS records from a primary DNS server to a secondary one. It’s a core DNS operational process and has no direct function in blocking access to malicious websites or controlling Browse habits. D. IDS with anomaly detection (Intrusion Detection System): An IDS monitors network traffic for suspicious activity and alerts on anomalies. While it can detect attempts to access malicious sites, its primary function is detection and alerting, not blocking the access itself as a proxy with filtering would. |
| 4 | B | A company is replacing Telnet with a more secure protocol. Which is the best alternative? A. FTP (File Transfer Protocol): FTP is used for transferring files between computers. It sends data (including credentials) in plain text by default and is not a secure replacement for remote access. SFTP (SSH File Transfer Protocol) or FTPS (FTP Secure) would be secure file transfer alternatives, but FTP itself is not a remote access protocol like Telnet and SSH. B. SSH SSH (Secure Shell) is the best alternative to Telnet because it provides a secure, encrypted channel for remote command-line access, remote execution of commands, and other network services. Unlike Telnet, which sends data in plain text, SSH encrypts all communications, protecting against eavesdropping and unauthorized access. C. SNMPv1 (Simple Network Management Protocol version 1): SNMPv1 is used for network device management. It is an insecure protocol that sends community strings (passwords) in plain text and is highly vulnerable. It’s not a remote access protocol for general command-line use. D. TFTP (Trivial File Transfer Protocol): TFTP is a very simple, unauthenticated, and unencrypted file transfer protocol. It’s used for basic file transfers (e.g., booting network devices) but offers no security and is not a replacement for interactive remote access. |
| 5 | A | A security team wants to block connections to domains associated with phishing campaigns. Which solution best fits this requirement? A. DNS filtering service A DNS filtering service (also known as a DNS firewall or recursive DNS resolver with security features) works by preventing users from resolving (and thus connecting to) domain names that are known to be malicious, such as those associated with phishing campaigns, malware, or command-and-control servers. When a user tries to access a malicious domain, the DNS filter blocks the resolution, preventing the connection from ever being established. B. Endpoint antivirus software: Antivirus software primarily focuses on detecting and removing malicious files (malware) on individual devices. While some endpoint security solutions have web filtering capabilities, a dedicated DNS filtering service is more effective and proactive at the network level for blocking access to malicious domains before any content is downloaded. C. DHCP lease timer reduction: DHCP (Dynamic Host Configuration Protocol) lease timers determine how long a device can keep an assigned IP address. Reducing this time has no direct impact on blocking access to malicious domains. D. VLAN segmentation: VLAN (Virtual Local Area Network) segmentation divides a physical network into multiple logical segments. While good for containing breaches and controlling internal traffic, it does not directly block access to external malicious domains from the internet. |
| 6 | C | A company is experiencing frequent phishing attacks spoofing its domain name. Which email security control helps verify sending servers and enforce policy on unauthorized messages? A. SPF only: SPF allows a domain owner to specify which mail servers are authorized to send email on behalf of their domain. While it helps verify sending servers, it doesn’t offer the comprehensive reporting or policy enforcement capabilities (like instructing recipients to reject spoofed emails) that DMARC does. An attacker could still spoof the “From” address if only SPF is used. B. DKIM only: DKIM uses cryptographic signatures to verify that an email message has not been tampered with in transit and that it genuinely originates from the stated domain. Like SPF, it’s a component of authentication, but by itself, it doesn’t provide the explicit policy enforcement or reporting for failed alignment that DMARC offers. C. DMARC (Domain-based Message Authentication, Reporting, and Conformance) DMARC builds upon SPF (Sender Policy Framework) and DKIM (DomainKeys Identified Mail) to provide comprehensive email authentication. Its primary function is to: Verify sending servers: It checks if an email aligns with both SPF and/or DKIM records for the purported sending domain. Enforce policy on unauthorized messages: It allows the domain owner to tell receiving email servers what to do with messages that fail DMARC checks (e.g., quarantine, reject, or simply monitor). This directly helps combat phishing and domain spoofing by allowing the receiving server to identify and block emails that falsely claim to be from your domain. D. TLS (Transport Layer Security): TLS encrypts email communication in transit between mail servers, protecting it from eavesdropping. While crucial for confidentiality, it does not authenticate the sending domain or prevent spoofing. An attacker can still send a spoofed email over a TLS-encrypted connection. |
| 7 | B | A system admin deploys a tool to detect unauthorized changes to critical operating system files. Which technology is being used? A. Host-based firewall: A host-based firewall controls network traffic to and from an individual computer. It’s focused on network access, not detecting changes to local files. B. File integrity monitoring (FIM) FIM is a technology specifically designed to monitor critical operating system files, application files, and other sensitive data for unauthorized modifications, deletions, or additions. It typically works by creating a baseline (e.g., cryptographic hashes) of files and then periodically checking for any deviations from that baseline, alerting administrators to changes. C. SIEM (Security Information and Event Management): A SIEM collects and correlates security logs and events from various sources, including potentially FIM systems. However, the SIEM itself doesn’t perform the detection of file changes; it processes the alerts generated by a technology like FIM. D. Packet capture: Packet capture involves intercepting and logging data packets that pass over a computer network. It’s used for network analysis and troubleshooting, not for detecting changes to files on a system’s hard drive. |
| 8 | D | Which NAC policy action ensures that only devices with updated antivirus and patches can connect to the network? A. VLAN trunking: VLAN trunking is a networking concept that allows multiple VLANs to traverse a single physical link between switches or a switch and a router. It involves network segmentation and connectivity, not assessing device health. B. QoS tagging: QoS (Quality of Service) tagging marks network traffic to prioritize certain types of data. It affects how traffic is handled on the network, not whether a device is compliant or allowed to connect. C. Port mirroring: Port mirroring (also known as SPAN or RSPAN) sends a copy of network packets from one switch port to another for analysis by monitoring tools. It’s used for network monitoring and troubleshooting, not for enforcing device compliance before connection D. Posture assessment Posture assessment is a key function of Network Access Control (NAC) systems. It involves evaluating an endpoint (device) for its compliance with security policies before it’s allowed full network access. This assessment typically checks for things like updated antivirus definitions, the presence of necessary security patches, firewall status, and other health indicators. If the device doesn’t meet the required posture, NAC can then quarantine it or deny access. |
| 9 | A | A SOC notices a user downloading gigabytes of sensitive data at 2 a.m., which is unusual for their profile. What tool best detects this anomaly? A. User behavior analytics (UBA) User behavior analytics (UBA) is specifically designed to detect anomalies in user activity. It establishes a baseline of normal user behavior (e.g., typical working hours, data access patterns, usual data transfer volumes) and then flags deviations from that norm. A user downloading gigabytes of sensitive data at 2 a.m., when that’s outside their usual profile, is a classic UBA use case, making it the best tool for detecting this specific anomaly. B. Signature-based antivirus: Signature-based antivirus detects known malware based on predefined signatures. It has no capability to monitor user behavior or data download patterns for anomalous activity. C. SIEM correlation rules only: While a SIEM can collect logs and run correlation rules, relying on “correlation rules only” might not be sufficient to detect this subtle anomaly without a pre-defined rule that specifically looks for “large data download by this user outside working hours.” UBA often provides more sophisticated baselining and anomaly detection capabilities that go beyond simple correlation, potentially feeding its findings into a SIEM. D. Network access control: Network access control (NAC) manages who can connect to the network and what resources they can access based on device health and user authentication. It’s a preventative control for network admission, not a detection tool for monitoring user activity patterns after they’ve connected. |
| 10 | A | Which firewall architecture is specifically designed to host public-facing services like web servers while protecting internal networks? A. Screened subnet (DMZ) A Screened Subnet, commonly known as a DMZ (Demilitarized Zone), is a network architecture specifically designed to host public-facing services (like web servers, mail servers, DNS servers) that need to be accessible from the internet, while keeping them logically separate and protected from the internal corporate network. It typically uses two firewalls (or a single firewall with multiple interfaces) to create a buffer zone, reducing the risk to the internal network if the public-facing services are compromised. B. Transparent mode firewall: A transparent (or bridge mode) firewall operates at Layer 2 (Data Link) and acts like a network bridge, inspecting traffic without requiring IP address changes on devices. While useful for internal segmentation or specific deployments, it’s not primarily designed as the architecture for hosting public-facing services with distinct internal/external separation like a DMZ. C. Application proxy firewall: An application proxy firewall (or application-level gateway) acts as an intermediary for specific application traffic (e.g., HTTP, FTP). It inspects traffic at the application layer and can offer strong security for those specific protocols. While often used within a DMZ for specific services, it describes a type of firewall or a feature, not the overall network architecture for hosting public-facing services. D. Stateful firewall only: A stateful firewall tracks the state of active connections, allowing it to make intelligent decisions about which traffic to permit. While stateful inspection is a crucial feature of modern firewalls, “stateful firewall only” doesn’t describe a network architecture for isolating public-facing services. A DMZ almost always uses stateful firewalls, but the stateful firewall itself isn’t the architecture. |