Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 2.2 (Explain common threat vectors and attack surfaces.) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A company receives reports that several employees are redirected to a fake login page after visiting a compromised industry news website. Which attack vector does this best represent?
#2. A user reports receiving an urgent voicemail instructing them to call a number to “verify their corporate account.” When the user calls, the attacker requests sensitive credentials. Which attack method is this?
#3. A security administrator at a healthcare organization discovers that employees are receiving emails with attachments disguised as invoices. When opened, the attachments attempt to install malware on the recipient’s machine. The administrator notes that the attack relies on convincing users to open the file. Which of the following threat vectors is primarily being used in this attack?
#4. An analyst in a SOC observes a large number of login attempts against a cloud-hosted web portal using the vendor’s default administrator credentials. The attempts are automated and come from multiple IP addresses. Which common threat vector is being targeted?
#5. An attacker compromises a vendor’s update server and pushes a malicious patch to customers. The patch appears legitimate but installs a backdoor that grants remote access. Which of the following best describes the vector being used?
#6. A SOC analyst detects that attackers gained access to internal systems by exploiting a web application running on an unpatched server. The vendor had ended support for this application years ago. Which attack surface was exploited?
#7. During a security audit, consultants discover that several internal services are running with open ports exposed to the internet, including Telnet and FTP. Attackers are already scanning the network for these services. Which attack surface does this represent?
#8. An attacker creates a malicious image file that, when opened, executes code exploiting a vulnerability in the company’s photo viewer software. Several employees download and open the file from a shared drive. Which threat vector was used?
#9. A multinational company discovers that employees in a specific region were redirected to a fake HR portal after visiting a legitimate government job website. The attackers injected malicious code into the trusted site to capture corporate credentials. Which vector is being exploited?
#10. A system administrator notices malware spreading across the network from a laptop infected after connecting a personal USB drive. The malware leveraged autorun to execute as soon as the device was plugged in. Which attack vector is this?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | A | A company receives reports that several employees are redirected to a fake login page after visiting a compromised industry news website. Which attack vector does this best represent? A. Watering hole attack (Correct): A watering hole attack is an attack vector that targets a specific group of users by compromising a website they are known to frequent. The attacker waits for the victims to visit the compromised site, at which point they are redirected to a malicious page or infected with malware. B. Business email compromise (Incorrect): This is an email-based social engineering attack where a criminal spoofs an email account to trick an employee into performing an action, such as a wire transfer. C. Typosquatting (Incorrect): Typosquatting involves registering a domain name that is a common typo of a legitimate one, hoping users will accidentally visit it. The scenario describes a compromised legitimate site, not a typo. D. Pretexting (Incorrect): Pretexting is a form of social engineering where an attacker creates a fabricated scenario (a pretext) to obtain sensitive information from a victim. |
| 2 | B | A user reports receiving an urgent voicemail instructing them to call a number to “verify their corporate account.” When the user calls, the attacker requests sensitive credentials. Which attack method is this? A. Smishing (Incorrect): Smishing is a form of phishing that uses text messages (SMS) to deceive victims. The attack described uses voice, not text. B. Vishing (Correct): Vishing is a form of phishing that uses voice technology, such as phone calls or voicemails, to trick victims into revealing sensitive information. The attacker’s use of an urgent voicemail to manipulate the user is a classic example of this technique. C. Phishing (Incorrect): Phishing is a general term for social engineering attacks, typically conducted over email. While vishing is a type of phishing, “vishing” is the more specific and correct term for a voice-based attack. D. Business email compromise (Incorrect): Business email compromise (BEC) is a targeted scam that uses fraudulent emails to trick an employee into transferring funds or sensitive data. This is an email-based attack, not a voice-based one. |
| 3 | B | A security administrator at a healthcare organization discovers that employees are receiving emails with attachments disguised as invoices. When opened, the attachments attempt to install malware on the recipient’s machine. The administrator notes that the attack relies on convincing users to open the file. Which of the following threat vectors is primarily being used in this attack? A. Vulnerable software (Incorrect): While the malware may exploit a vulnerability in a software program to execute, the primary vector or initial delivery method is still the message itself. The vulnerability is what enables the payload, but the message is the vector. B. Message-based vector (Correct): The attack primarily uses a message-based vector. This refers to any attack that uses a messaging system (like email or SMS) and social engineering to deliver a malicious payload. The deceptive email with a malware-laden attachment is the primary means of initial access. C. Supply chain compromise (Incorrect): A supply chain compromise involves an attacker infiltrating a trusted vendor’s network or product to deliver malware to the vendor’s customers. This attack is not related to the supply chain. D. Default credentials (Incorrect): This threat vector involves an attacker using weak or unchanged factory passwords to gain unauthorized access. The attack described relies on user interaction, not on a system’s weak password. |
| 4 | C | An analyst in a SOC observes a large number of login attempts against a cloud-hosted web portal using the vendor’s default administrator credentials. The attempts are automated and come from multiple IP addresses. Which common threat vector is being targeted? A. Vulnerable software (Incorrect): This threat vector involves exploiting a flaw in a software’s code. The scenario describes a credential-based attack, not a software vulnerability exploit. B. Supply chain (Incorrect): A supply chain attack involves compromising a trusted vendor to attack their customers. The attack here is a direct assault on the web portal, not a third-party compromise. C. Default credentials (Correct): The attack is specifically targeting a default credentials threat vector. Attackers are attempting to log in using common, factory-set usernames and passwords (like “admin/admin” or “root/toor”) that vendors often ship with their products. This is a common attack method used by automated bots to gain unauthorized access to unhardened systems. D. Business email compromise (Incorrect): This is an email-based scam that tricks employees into a malicious action. The attack described is a login attempt against a web portal. |
| 5 | A | An attacker compromises a vendor’s update server and pushes a malicious patch to customers. The patch appears legitimate but installs a backdoor that grants remote access. Which of the following best describes the vector being used? A. Supply chain attack (Correct): A supply chain attack is a type of attack that targets an organization by compromising one of its third-party vendors or suppliers. In this scenario, the attacker compromised the vendor’s software update server (a key part of the supply chain) to deliver a malicious payload to the customer. B. Image-based attack (Incorrect): An image-based attack typically refers to hiding a malicious payload within a seemingly harmless image file. This is not the vector being used here. C. Human social engineering (Incorrect): While the initial compromise of the vendor might have involved social engineering, the vector used to deliver the malware to the end-users is the trusted software update channel, not a human-based trick. D. Removable device attack (Incorrect): This involves an attack that uses a physical device, such as a USB drive. The attack described is network-based, using the vendor’s update server. |
| 6 | B | A SOC analyst detects that attackers gained access to internal systems by exploiting a web application running on an unpatched server. The vendor had ended support for this application years ago. Which attack surface was exploited? A. Vulnerable software (Incorrect): While the software was vulnerable, “unsupported systems” is the more precise answer. The vulnerability existed specifically because the system was no longer supported, making it a critical threat vector. B. Unsupported systems (Correct): The attack surface exploited was unsupported systems. A system is considered unsupported when the vendor no longer provides security patches or updates for it. Since the web application was no longer receiving security updates, any discovered vulnerability became a permanent attack surface for attackers to exploit. C. Human social engineering (Incorrect): The attack was a technical exploit of a system, not a social engineering trick against a person. D. Open service ports (Incorrect): While the attack likely used an open port to access the application, the port itself wasn’t the vulnerability. The vulnerability was in the unpatched software running on that port. |
| 7 | D | During a security audit, consultants discover that several internal services are running with open ports exposed to the internet, including Telnet and FTP. Attackers are already scanning the network for these services. Which attack surface does this represent? A. Unsecure networks (Incorrect): While the network is insecure, “open service ports” is a more precise and descriptive term for the specific vulnerability being exploited. B. Removable devices (Incorrect): This threat vector involves using physical media like a USB drive to introduce malware. It is unrelated to the network-based vulnerability described. C. Supply chain attack (Incorrect): A supply chain attack involves compromising a third-party vendor to target an organization. The scenario describes a direct vulnerability on the company’s own network. D. Open service ports (Correct): The presence of open service ports, such as Telnet and FTP, that are accessible from the internet creates a direct attack surface. Attackers actively scan for these services because they can be exploited to gain unauthorized access, especially older, insecure protocols like the ones mentioned. |
| 8 | D | An attacker creates a malicious image file that, when opened, executes code exploiting a vulnerability in the company’s photo viewer software. Several employees download and open the file from a shared drive. Which threat vector was used? A. File-based (Incorrect): This is a broad term. While the attack uses a file, “image-based” is a more specific and accurate description of the attack vector. B. Social engineering (Incorrect): Social engineering may have been used to get the employees to open the file, but the primary attack vector is the file itself, which contains the malicious code. C. Supply chain (Incorrect): A supply chain attack involves a compromise of a vendor or third party. The scenario describes a direct attack using a file, not a vendor compromise. D. Image-based (Correct): The threat vector is image-based. The attacker used a seemingly harmless image file as a container for malicious code. The vulnerability in the photo viewer software allowed the hidden code to execute when the file was opened, making the image itself the vector for the attack. |
| 9 | C | A multinational company discovers that employees in a specific region were redirected to a fake HR portal after visiting a legitimate government job website. The attackers injected malicious code into the trusted site to capture corporate credentials. Which vector is being exploited? A. Pretexting (Incorrect): Pretexting is a social engineering attack where an attacker creates a fabricated scenario to trick a person into giving up information, typically through direct communication. B. Business email compromise (Incorrect): Business email compromise (BEC) is an email-based scam, often involving impersonating a senior executive to trick an employee into a fraudulent action. C. Watering hole (Correct): This is a watering hole attack. The attacker compromised a legitimate, trusted website that employees were known to frequent (the “watering hole”). By injecting malicious code, they were able to redirect unsuspecting visitors to a fake login page to capture credentials. D. Vishing (Incorrect): Vishing is a form of phishing that uses voice calls or voicemails as the attack vector. |
| 10 | A | A system administrator notices malware spreading across the network from a laptop infected after connecting a personal USB drive. The malware leveraged autorun to execute as soon as the device was plugged in. Which attack vector is this? A. Removable device (Correct): The attack vector is a removable device. The malware was introduced into the network via a physical USB drive. The attack leveraged the device’s ability to automatically execute a file (autorun) as soon as it was plugged in, making the physical medium the primary vector. B. Human social engineering (Incorrect): While social engineering could have been used to trick the user into plugging in the drive, the attack vector itself is the physical device, not the deception. C. Unsupported systems (Incorrect): This refers to a vulnerability in a system that is no longer receiving security patches. The scenario describes a physical vector, not a system vulnerability. D. File-based (Incorrect): While the malware is a file, the primary vector is the physical, removable device that delivered it. The file’s malicious nature is a secondary characteristic. |