Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 1.4 (Explain the importance of using appropriate cryptographic solutions) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A government agency requires long-term archival storage of sensitive records. They want to ensure the files remain confidential for decades, even if computing power increases. Which factor is MOST important in selecting an encryption algorithm?
#2. A company wants to securely back up private keys for disaster recovery but must prevent unauthorized access. Which method BEST meets this requirement?
#3. An administrator is asked to ensure that emails between executives are encrypted and digitally signed. Which standard is MOST appropriate?
#4. A SOC analyst finds that a TLS certificate on a public-facing web server has expired. What is the MOST likely impact?
#5. A database stores customer Social Security numbers but masks the middle digits when viewed by support staff. Which technique is being used?
#6. A company needs to ensure that authentication requests can be validated in real time to confirm whether a certificate has been revoked. Which method should be implemented?
#7. A system administrator is tasked with verifying that a downloaded software update has not been tampered with. Which cryptographic method should be used?
#8. An IoT device has limited processing power but needs to support encrypted communications. Which cryptographic solution is MOST appropriate?
#9. A security engineer is configuring a system to encrypt entire virtual machine storage volumes. Which encryption level is being applied?
#10. During an investigation, an analyst finds sensitive corporate documents hidden inside a seemingly normal audio file. Which security method did the attacker MOST likely use?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | C | A government agency requires long-term archival storage of sensitive records. They want to ensure the files remain confidential for decades, even if computing power increases. Which factor is MOST important in selecting an encryption algorithm? A. Algorithm type (symmetric vs. asymmetric) (Incorrect): While both types have different use cases, the choice between them isn’t the primary factor for long-term security. Both can be secure if they use a sufficiently long key. B. Hashing algorithm used for integrity (Incorrect): A hashing algorithm is used to ensure data has not been tampered with (integrity), not to protect it from being viewed (confidentiality). C. Key length and algorithm strength (Correct): This is the most critical factor for long-term data security. The key length of an encryption algorithm directly determines the time it would take for a brute-force attack to succeed. For data that must remain confidential for decades, selecting an algorithm with a very long key (e.g., 256-bit) provides the exponential security needed to withstand future increases in computing power, including the potential for quantum computing. D. Certificate revocation method (Incorrect): Certificate revocation is a process for invalidating digital certificates. This is relevant for identity and trust but has no bearing on the strength of the encryption used to protect the archival data. |
| 2 | B | A company wants to securely back up private keys for disaster recovery but must prevent unauthorized access. Which method BEST meets this requirement? A. Store them on removable media in plaintext (Incorrect): Storing a key in plaintext is the least secure method. It provides no protection against anyone who obtains the media. B. Use key escrow with strict access controls (Correct): Key escrow is a formal process for securely storing cryptographic keys, often in a physical or logical vault, under strict rules and access controls. This method provides a secure, auditable, and structured way to back up keys for disaster recovery while preventing unauthorized access. C. Generate a self-signed certificate for backup (Incorrect): A self-signed certificate is used to establish trust and identity. It is not a method for securely backing up a private key. D. Encrypt the keys and email them to system administrators (Incorrect): While encrypting the keys is a good step, email is an insecure medium for transferring such sensitive data. This method lacks the formal access controls and auditing provided by a dedicated key escrow solution. |
| 3 | A | An administrator is asked to ensure that emails between executives are encrypted and digitally signed. Which standard is MOST appropriate? A. S/MIME (Correct): S/MIME (Secure/Multipurpose Internet Mail Extensions) is an industry-standard protocol that provides end-to-end encryption and digital signing for email messages. It is specifically designed to meet both of the requirements in the question: ensuring confidentiality through encryption and providing integrity and non-repudiation through digital signatures. B. SSL/TLS (Incorrect): SSL/TLS is a protocol that secures the connection between a mail client and a server. It protects the email in transit but does not provide end-to-end encryption or a digital signature on the message itself, which means the message could be read once it reaches its destination server. C. PGP hashing (Incorrect): PGP (Pretty Good Privacy) is a correct standard for this purpose, but “PGP hashing” is not. Hashing is only a component of the digital signing process used within PGP. D. SHA-256 (Incorrect): SHA-256 is a specific hashing algorithm used to create a digital fingerprint of a message. It is a building block of a digital signature but is not a complete standard for email encryption and signing. |
| 4 | B | A SOC analyst finds that a TLS certificate on a public-facing web server has expired. What is the MOST likely impact? A. Encrypted sessions will immediately fail (Incorrect): While some clients or applications might be configured to fail hard, most web browsers will give the user the option to bypass the warning and continue, which means the session will not immediately fail. B. Users will receive a trust warning in their browsers (Correct): This is the most common and immediate impact. When a user’s browser attempts to connect to a website, it checks the TLS certificate’s validity, including its expiration date. If the date has passed, the browser’s trust validation fails, and it will display a prominent warning message (e.g., “Your connection is not private”) to the user, advising them not to proceed. C. The private key will be invalidated permanently (Incorrect): The private key is a separate component. The expiration of the certificate does not affect the private key itself, which remains a valid cryptographic key. It simply can’t be used to establish a trusted session with the public certificate. D. The certificate will be revoked from the CRL (Incorrect): Revocation is a separate process from expiration. A certificate is manually revoked by the issuing authority before its expiration date, typically because the associated private key has been compromised. An expired certificate is simply no longer valid due to its age. |
| 5 | A | A database stores customer Social Security numbers but masks the middle digits when viewed by support staff. Which technique is being used? A. Data masking (Correct): Data masking is the technique of hiding sensitive data by obscuring or redacting parts of it. Masking the middle digits of a Social Security number is a classic example of this, as it allows support staff to view a portion of the data for verification while keeping the full number confidential. B. Tokenization (Incorrect): Tokenization replaces sensitive data with a non-sensitive surrogate (a token). In this case, the original SSN would be entirely replaced, not partially visible, and the support staff would see the token instead of any part of the SSN. C. Obfuscation (Incorrect): Obfuscation is a broad term for making data difficult to understand. While data masking is a form of obfuscation, “data masking” is the more precise and specific term for the technique described. D. Hashing (Incorrect): Hashing is a one-way process that transforms data into an irreversible string. The original SSN could not be retrieved from the hash, which would make the data useless for later verification. |
| 6 | C | A company needs to ensure that authentication requests can be validated in real time to confirm whether a certificate has been revoked. Which method should be implemented? A. Key escrow (Incorrect): Key escrow is the process of storing cryptographic keys for backup or recovery. It has no function in checking a certificate’s revocation status. B. CRL (Incorrect): A CRL (Certificate Revocation List) is a list of revoked certificates. While it serves the purpose of validation, it is not a real-time method, as clients must download and update the list periodically, leading to a potential delay in detecting a revoked certificate. C. OCSP (Correct): OCSP (Online Certificate Status Protocol) is a method for obtaining the revocation status of a digital certificate in real time. A client sends a request to an OCSP responder and receives an immediate response as to whether the certificate is valid, revoked, or unknown, ensuring authentication requests are validated with the most current information. D. CSR (Incorrect): A CSR (Certificate Signing Request) is a file submitted to a Certificate Authority (CA) to request a new certificate. It is part of the certificate issuance process, not the validation process. |
| 7 | A | A system administrator is tasked with verifying that a downloaded software update has not been tampered with. Which cryptographic method should be used? A. Digital signature verification (Correct): A digital signature is a cryptographic method used to verify both the integrity and the authenticity of a file. When an administrator verifies the digital signature on a software update, they confirm that the file came from a legitimate source and that it has not been altered or tampered with since it was signed. B. Key stretching (Incorrect): Key stretching is a technique used to make a password or passphrase more resistant to brute-force attacks. It is unrelated to verifying the integrity of a file. C. Tokenization (Incorrect): Tokenization is the process of replacing sensitive data with a non-sensitive substitute. It is a data protection technique, not a method for verifying file integrity. D. Steganography (Incorrect): Steganography is the practice of hiding data within another file, such as an image or an audio file. It is a method of concealment, not integrity verification. |
| 8 | B | An IoT device has limited processing power but needs to support encrypted communications. Which cryptographic solution is MOST appropriate? A. RSA 4096-bit encryption (Incorrect): RSA, while a common asymmetric encryption standard, is computationally expensive. A 4096-bit key requires substantial processing power, which is not suitable for a device with limited resources. B. Elliptic Curve Cryptography (ECC) (Correct): Elliptic Curve Cryptography (ECC) is an asymmetric encryption method that provides a level of security comparable to RSA with significantly smaller key sizes. This results in lower computational overhead, reduced power consumption, and less memory usage, making it the most appropriate choice for resource-constrained IoT devices. C. Blockchain ledger (Incorrect): A blockchain is a distributed ledger technology. While it uses cryptography, it is a data structure for storing records and is not a solution for point-to-point encrypted communications. D. Symmetric key stretching (Incorrect): Symmetric key stretching is a technique designed to intentionally increase the computational cost of generating a key from a password. This would be counterproductive for a device with limited processing power. |
| 9 | C | A security engineer is configuring a system to encrypt entire virtual machine storage volumes. Which encryption level is being applied? A. Full-disk encryption (Incorrect): Full-disk encryption typically refers to encrypting a physical hard drive, including the boot sector. While a virtual disk is logically a full disk, the more precise term in a virtualized environment is volume encryption. B. Partition encryption (Incorrect): Partition encryption encrypts only a specific partition of a disk, not the entire storage volume used by the virtual machine. C. Volume encryption (Correct): The security engineer is applying volume encryption. A virtual machine’s storage is typically provisioned as a logical volume (a virtual disk). Encrypting the entire virtual disk container, which holds all the virtual machine’s files and operating system, is a direct application of volume-level encryption. D. File encryption (Incorrect): File encryption encrypts individual files on a file-by-file basis. The scenario describes encrypting the entire storage volume, not individual files. |
| 10 | B | During an investigation, an analyst finds sensitive corporate documents hidden inside a seemingly normal audio file. Which security method did the attacker MOST likely use? A. Obfuscation (Incorrect): Obfuscation is the broader concept of making something difficult to understand or analyze. While steganography is a form of obfuscation, it is the more specific and correct term for this method. B. Steganography (Correct): Steganography is the practice of concealing a file, message, or image within another file. The attacker used steganography to hide the sensitive documents inside an audio file so that the existence of the hidden data is not immediately apparent. C. Tokenization (Incorrect): Tokenization is a data protection technique that replaces sensitive data with a non-sensitive surrogate. It is not used for hiding files. D. Data masking (Incorrect): Data masking hides or redacts sensitive data, such as a social security number, within a database. It is not a method for concealing entire files. |