Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 1.2 (Summarize fundamental security concepts) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A security administrator at a healthcare company is tasked with ensuring patient data cannot be altered in transit by unauthorized parties. Which fundamental security concept is being addressed?
#2. A financial institution wants to ensure that employees cannot deny having initiated transactions once they are logged in and authenticated. Which principle ensures this requirement?
#3. Your organization is implementing a model where users must be continuously authenticated, and access decisions are dynamically evaluated based on risk. Which security concept does this describe?
#4. A system administrator deploys a firewall that enforces policies by checking traffic against rules and making a permit/deny decision. Which Zero Trust component is the firewall acting as?
#5. An attacker tailgates into a restricted server room. The organization later decides to install a small entry chamber requiring badge authentication before entry. What physical control is this?
#6. A company installs reinforced posts at the front of its headquarters to prevent vehicles from ramming into the lobby. Which physical security control is this?
#7. A cybersecurity team deploys a fake server that appears as a legitimate target in order to lure attackers and study their techniques. Which technology is this?
#8. An organization plants fake credit card records in its database that trigger alerts if accessed by attackers. Which deception technology is this?
#9. A company performs a review and discovers that several required security controls from a recent compliance framework are missing from its current implementation. What process is being described?
#10. A company has implemented badge readers at building entrances and requires employees to present an ID card before entry. Which AAA principle does this fulfill?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | D | A security administrator at a healthcare company is tasked with ensuring patient data cannot be altered in transit by unauthorized parties. Which fundamental security concept is being addressed? A. Confidentiality (Incorrect): Confidentiality is about preventing the unauthorized disclosure or viewing of data. The scenario focuses on preventing modification, not viewing. B. Non-repudiation (Incorrect): Non-repudiation ensures that a party to a transaction cannot deny having performed it. The scenario is about data alteration, not accountability for a transaction. C. Availability (Incorrect): Availability ensures that data and systems are accessible to authorized users when needed. The scenario focuses on data alteration, not access. D. Integrity (Correct): The security concept being addressed is integrity. Integrity ensures that data remains unaltered and that it has not been modified by unauthorized parties. The goal of preventing data from being “altered in transit” is a direct application of this principle. |
| 2 | B | A financial institution wants to ensure that employees cannot deny having initiated transactions once they are logged in and authenticated. Which principle ensures this requirement? A. Integrity (Incorrect): Integrity ensures that data has not been altered or destroyed in an unauthorized manner. While crucial for a transaction, it does not prevent the user from denying the action itself. B. Non-repudiation (Correct): Non-repudiation ensures that an individual or entity cannot deny having performed a particular action, such as initiating a transaction. By using authentication and logging, the financial institution creates an unassailable record of the user’s actions, which serves as proof of their involvement. C. Availability (Incorrect): Availability ensures that systems and data are accessible to authorized users when needed. The scenario is about accountability, not access. D. Confidentiality (Incorrect): Confidentiality is about preventing unauthorized disclosure of information. It does not relate to proving a user’s involvement in a transaction. |
| 3 | A | Your organization is implementing a model where users must be continuously authenticated, and access decisions are dynamically evaluated based on risk. Which security concept does this describe? A. Zero Trust (Correct): This model is the definition of Zero Trust. The core principle of Zero Trust is to “never trust, always verify.” It assumes no user, device, or network is inherently trustworthy, regardless of its location. Access is granted only after continuous authentication and dynamic risk evaluation, ensuring that access decisions are made in real time based on the current context. B. Gap analysis (Incorrect): Gap analysis is a process for comparing an organization’s current security state to a desired future state to identify deficiencies. It is a process, not a security model. C. AAA framework (Incorrect): The AAA framework (Authentication, Authorization, and Accounting) is a foundational concept for controlling access. While it is a prerequisite for Zero Trust, it does not inherently include the dynamic, continuous, and risk-based nature that defines the Zero Trust model. D. Non-repudiation (Incorrect): Non-repudiation ensures that a party to a transaction cannot deny having performed it. This is a principle related to accountability, not a dynamic access control model. |
| 4 | D | A system administrator deploys a firewall that enforces policies by checking traffic against rules and making a permit/deny decision. Which Zero Trust component is the firewall acting as? A. Policy Engine (Incorrect): The Policy Engine is the “brain” of the Zero Trust model. It makes the decision to grant or deny access, but it doesn’t enforce that decision itself. B. Policy Administrator (Incorrect): The Policy Administrator prepares the access request and communicates it to the Policy Engine. It’s a key part of the communication flow, not the enforcement of the policy. C. Data Plane (Incorrect): The data plane is the target resource itself, such as a server, application, or database. The firewall is protecting the data plane, not acting as it. D. Policy Enforcement Point (Correct): The firewall is acting as a Policy Enforcement Point (PEP). In a Zero Trust architecture, the PEP is the component responsible for enforcing the access decisions made by the Policy Engine. The firewall, by permitting or denying network traffic, is the control gate that directly enforces the security policy. |
| 5 | A | An attacker tailgates into a restricted server room. The organization later decides to install a small entry chamber requiring badge authentication before entry. What physical control is this? A. Access control vestibule (Correct): An access control vestibule, also commonly known as a mantrap, is a physical control specifically designed to prevent tailgating. It is a small, enclosed entryway with two interlocking doors, which ensures that only one person can enter at a time. B. Security guard (Incorrect): While a security guard can prevent tailgating, they are a person, not a physical structure. The scenario describes a mechanical system. C. Bollard (Incorrect): A bollard is a sturdy post used to protect an area from vehicle collisions. It has no purpose in preventing people from tailgating through a doorway. D. Fencing (Incorrect): Fencing is an outdoor physical barrier used to secure a perimeter. It is not an entry chamber for a building or room. |
| 6 | B | A company installs reinforced posts at the front of its headquarters to prevent vehicles from ramming into the lobby. Which physical security control is this? A. Security guard (Incorrect): A security guard is a person who provides physical security, not a physical structure or barrier. B. Bollards (Correct): Bollards are a type of physical security control designed to protect buildings, assets, and people from vehicle-based attacks. The reinforced posts described are a classic example of bollards, which act as a barrier to prevent vehicles from ramming into a structure. C. Fencing (Incorrect): Fencing is a perimeter control used to restrict physical access to an area. It is generally not designed to withstand a vehicle impact. D. Access control vestibule (Incorrect): An access control vestibule (or mantrap) is a secure entry chamber designed to prevent tailgating by people, not to stop vehicles. |
| 7 | C | A cybersecurity team deploys a fake server that appears as a legitimate target in order to lure attackers and study their techniques. Which technology is this? A. Honeynet (Incorrect): A honeynet is a network of two or more honeypots, used to simulate a larger, more complex environment. A single fake server is a honeypot, not a honeynet. B. Honeyfile (Incorrect): A honeyfile is a decoy file placed on a legitimate system. It is designed to alert the security team when it is accessed or moved, but it is not a fake system itself. C. Honeypot (Correct): A honeypot is a trap for cyber attackers. It is a fake system, server, or application that appears to be a legitimate target but is actually isolated and monitored. Its sole purpose is to lure attackers and collect data on their methods, tools, and motives. D. Honeytoken (Incorrect): A honeytoken is a type of honeyfile or a fake credential (e.g., a dummy password or API key) placed in a database or file. When the token is used, it alerts the security team that an attacker has accessed it. |
| 8 | B | An organization plants fake credit card records in its database that trigger alerts if accessed by attackers. Which deception technology is this? A. Honeypot (Incorrect): A honeypot is an entire fake system, server, or application designed to lure and trap an attacker. The scenario describes fake data within a real system, not a fake system itself. B. Honeytoken (Correct): A honeytoken is a piece of fake, sensitive data, such as a credit card number, a social security number, or a password, planted within a legitimate system. Its sole purpose is to act as a digital tripwire, triggering an alert when an unauthorized party accesses it, thereby indicating a compromise. C. Honeynet (Incorrect): A honeynet is a network of multiple honeypots used to simulate a larger environment. This is a complex setup, not a single data record. D. Honeyfile (Incorrect): A honeyfile is a decoy file (e.g., a document or spreadsheet) designed to be a tripwire. While related, “honeytoken” is a more specific term for a fake data record within a database. |
| 9 | A | A company performs a review and discovers that several required security controls from a recent compliance framework are missing from its current implementation. What process is being described? A. Gap analysis (Correct): Gap analysis is a process that compares a current state (your organization’s existing security controls) with a desired state (the requirements of a compliance framework) to identify any “gaps,” or missing controls. The scenario perfectly describes this process. B. Zero Trust (Incorrect): Zero Trust is a security model that operates on the principle of “never trust, always verify.” It is a framework for how access should be managed, not a process for comparing controls. C. Authentication (Incorrect): Authentication is a technical process of verifying a user’s identity before granting access. It is a specific security control, not a review process. D. Deception technology (Incorrect): Deception technology involves using fake systems to lure attackers. It is a specific type of technology, not a review or analysis process. |
| 10 | A | A company has implemented badge readers at building entrances and requires employees to present an ID card before entry. Which AAA principle does this fulfill? A. Authentication (Correct): The badge reader and ID card fulfill the authentication principle. Authentication is the process of verifying an individual’s identity. The badge reader system verifies that the employee presenting the card is a valid user before proceeding with the next step, which is granting access. B. Authorization (Incorrect): Authorization is the process of granting or denying a specific level of access to a resource. While a badge reader system ultimately leads to authorization (e.g., the door unlocks), the act of using the badge to prove identity is the authentication step. C. Accounting (Incorrect): Accounting (or Auditing) is the process of tracking and logging a user’s activities, such as who entered a location and at what time. While the badge reader system may perform this function, the act of using the badge is for identity verification, not logging. D. Non-repudiation (Incorrect): Non-repudiation ensures that a user cannot deny an action they have performed. This is a separate principle from the initial verification of identity. |