Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 3.2 (Given a scenario, apply security principles to secure enterprise infrastructure.) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. An analyst in a SOC observes that a company’s firewall is operating in a “fail-open” mode after a hardware malfunction. What is the MOST significant security concern with this configuration?
#2. Your organization is segmenting its internal network to separate development servers from production systems. Which technology would BEST enforce this logical separation while minimizing hardware costs?
#3. A healthcare provider must ensure that IoT-enabled medical devices remain operational even if internet connectivity is lost. Which infrastructure design principle would MOST directly address this need?
#4. An organization implements a jump server to manage connections into its restricted network segment. What is the PRIMARY security benefit of this design?
#5. A company recently deployed a next-generation firewall (NGFW). Which capability BEST differentiates NGFWs from traditional firewalls?
#6. An attacker gained access to a company’s mirrored network port used for IDS monitoring. Which infrastructure design would BEST have reduced the risk of this attack?
#7. A cloud services provider needs to enforce identity-based access control for remote users connecting to its SD-WAN infrastructure. Which protocol would MOST appropriately be used?
#8. A SOC analyst notices high volumes of traffic routed through a proxy server. Which PRIMARY advantage does a proxy server provide in securing enterprise infrastructure?
#9. A manufacturing company runs legacy SCADA systems that cannot be patched. Which security control would BEST protect these assets?
#10. During a penetration test, consultants discover that port security is disabled on the company’s switches. What is the MOST likely risk introduced by this misconfiguration?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | B | An analyst in a SOC observes that a company’s firewall is operating in a “fail-open” mode after a hardware malfunction. What is the MOST significant security concern with this configuration? A. All inbound traffic is blocked, disrupting business operations (Incorrect): This describes a “fail-closed” configuration. A fail-closed firewall stops all traffic upon failure, prioritizing security over availability. A fail-open firewall prioritizes availability over security. B. Unauthorized traffic may pass through unrestricted (Correct): When a firewall is configured in “fail-open” mode, a hardware or software failure causes the device to revert to a state where it stops inspecting traffic and allows all data to pass through as if it were a simple network bridge. The most significant security concern is the loss of all security controls, allowing potentially malicious or unauthorized traffic into the protected network without restriction. C. The firewall’s logs cannot be collected during downtime (Incorrect): While logging may be affected, the loss of security control (allowing unrestricted traffic) is a far more significant security concern than the temporary loss of logging data. D. Outbound connections are throttled, impacting performance (Incorrect): Throttling or performance impact is a general operational issue. The core problem with a fail-open state is the complete loss of security policy enforcement, not just a reduction in speed. |
| 2 | B | Your organization is segmenting its internal network to separate development servers from production systems. Which technology would BEST enforce this logical separation while minimizing hardware costs? A. Air-gapping (Incorrect): Air-gapping provides the highest security by physically isolating the networks (no shared hardware, cables, or connections). However, this method requires maximum hardware investment (separate switches, routers, etc.), which contradicts the requirement to minimize hardware costs. B. VLANs (Virtual Local Area Networks) (Correct): VLANs are the best choice because they enable a single physical network switch to be logically partitioned into multiple, distinct broadcast domains. This enforces separation between the development and production servers using the existing physical network infrastructure, thereby minimizing new hardware costs. C. Proxy servers (Incorrect): A proxy server manages and filters traffic for client requests (often internet access). It is a layer 7 application gateway and does not perform layer 2 or layer 3 network segmentation between internal server groups. D. Dedicated firewalls (Incorrect): While a firewall is necessary to control traffic between the segments, relying on dedicated, standalone firewalls solely for segmentation is more expensive than using the software-based partitioning capability (VLANs) already available on most modern network switches. VLANs create the logical segments, and a single router/firewall can then manage traffic flow between them. |
| 3 | A | A healthcare provider must ensure that IoT-enabled medical devices remain operational even if internet connectivity is lost. Which infrastructure design principle would MOST directly address this need? A. High availability (Correct): The core concern is maintaining operation (availability) despite a failure (internet loss). High availability (HA) is the design principle that ensures a system or component remains operational and accessible, often through redundancy and failover mechanisms. For IoT medical devices, HA would be implemented by ensuring the devices and their local control systems can function entirely within the local network (LAN or WLAN) or via redundant cellular/satellite links, effectively insulating critical functions from external internet failure. B. Load balancing (Incorrect): Load balancing is the distribution of network traffic or computational workload across multiple resources (like servers). Its primary goal is to optimize resource use, maximize throughput, and prevent overload, not specifically to maintain operation during a connectivity failure. C. Scalability (Incorrect): Scalability is the ability of a system to handle a growing amount of work or to be enlarged to accommodate that growth. While important for managing more devices, it does not directly address the requirement to maintain operation when the internet connection fails. D. Proxy-based filtering (Incorrect): A proxy server acts as an intermediary for network requests, often used for security, logging, or caching. While important for securing IoT traffic, its function is unrelated to ensuring continued operation if the primary internet link is severed. |
| 4 | A | An organization implements a jump server to manage connections into its restricted network segment. What is the PRIMARY security benefit of this design? A. Reduces the attack surface by centralizing access points (Correct): A jump server (or bastion host) acts as a single, hardened gateway through which all administrative access to a restricted network segment must pass. Instead of allowing direct connections to potentially dozens of sensitive hosts, the organization only has to secure and monitor this one server, thereby centralizing access control, logging, and monitoring, and significantly reducing the overall attack surface. B. Eliminates the need for multi-factor authentication (Incorrect): A jump server should enforce, not eliminate, strong authentication mechanisms like MFA for administrators before they are allowed to connect to the internal hosts. C. Prevents denial-of-service attacks against internal hosts (Incorrect): A jump server is designed for administrative access, not as a primary defense against high-volume denial-of-service (DoS) attacks, which are typically handled by perimeter firewalls, load balancers, or cloud scrubbing services. D. Encrypts all inbound and outbound network traffic by default (Incorrect): While the jump server connection itself is usually encrypted (e.g., SSH or RDP), the jump server does not inherently or automatically encrypt all other inbound and outbound traffic within the network segment or to the internet. Encryption is a separate service. |
| 5 | C | A company recently deployed a next-generation firewall (NGFW). Which capability BEST differentiates NGFWs from traditional firewalls? A. Ability to block by IP address and port (Incorrect): This is a fundamental capability of all traditional firewalls (stateless and stateful) and does not differentiate an NGFW. C. Logging of traffic flows (Incorrect): Both traditional and next-generation firewalls routinely log traffic flows. This is a basic function necessary for auditing and security analysis, not a differentiating feature of NGFWs. B. Integration with intrusion prevention features (Correct): The core capability that distinguishes a Next-Generation Firewall (NGFW) from a traditional firewall is its deep packet inspection (DPI) capability combined with integrated security functions. This allows the NGFW to go beyond port and protocol to identify and block threats based on the actual application being used and recognized attack patterns, which is the function of Intrusion Prevention Systems (IPS). Traditional firewalls require a separate IPS device. D. Stateful packet inspection (Incorrect): Stateful packet inspection is the key differentiating feature of a traditional stateful firewall, allowing it to track the state of active connections. NGFWs also use stateful inspection but layer much deeper capabilities (like IPS and application control) on top of it. |
| 6 | C | An attacker gained access to a company’s mirrored network port used for IDS monitoring. Which infrastructure design would BEST have reduced the risk of this attack? A. Using inline IDS instead of tap/monitor mode (Incorrect): While inline IDS (Intrusion Prevention System or IPS) is a valid design choice, it fundamentally changes the IDS’s function from passive monitoring to active traffic interception. It doesn’t solve the security risk of an attacker gaining access to the monitoring traffic itself, which is the immediate threat described. B. Encrypting the mirrored traffic using TLS (Incorrect): Mirrored (SPAN) traffic is an exact copy of raw network frames, and it is generally not possible or practical to encrypt it using protocols like TLS (Transport Layer Security) without fundamentally altering the monitoring process. TLS is typically used for securing application-layer communications between two endpoints. C. Segregating the IDS port on an isolated management VLAN (Correct): The core of the attack is unauthorized access to the network port used for IDS monitoring (often a Switch Port Analyzer or SPAN port). By placing this monitoring port and the IDS appliance on a dedicated, isolated management VLAN that is strictly separated from the regular corporate network, the organization creates a logical security boundary. This design significantly reduces the risk because an attacker who compromises a host on the corporate network cannot easily reach or listen on the isolated IDS monitoring segment. D. Configuring fail-open settings on the IDS (Incorrect): Fail-open settings determine what the IDS does if it crashes (prioritizing availability over security). This operational setting is completely irrelevant to the security concern of an attacker gaining unauthorized access to the mirrored traffic port. |
| 7 | D | A cloud services provider needs to enforce identity-based access control for remote users connecting to its SD-WAN infrastructure. Which protocol would MOST appropriately be used? A. 802.1X (Incorrect): 802.1X is the port-based Network Access Control (NAC) framework. While it is the container that often uses EAP (like EAP-TLS) to enforce authentication, 802.1X itself is the mechanism for wired or wireless port access rather than the specific remote access protocol for identity enforcement across an SD-WAN. B. SASE (Incorrect): SASE (Secure Access Service Edge) is an architectural model that converges networking (SD-WAN) and security services into a single cloud-delivered offering. It is a high-level design concept, not a specific, low-level authentication protocol like EAP-TLS. C. IPSec (Incorrect): IPSec (Internet Protocol Security) is used to provide confidentiality and integrity (encryption and tunneling) for the traffic, typically at the network layer (Layer 3). While IPSec is likely the underlying tunneling protocol used by the SD-WAN, it does not inherently provide the identity-based access control layer that EAP-TLS does. D. EAP-TLS (Correct): Extensible Authentication Protocol-Transport Layer Security (EAP-TLS) is the most appropriate protocol for strong, identity-based access control. It uses digital certificates (tied to the user’s identity) on both the client and the server, making it highly secure and scalable for remote users connecting to an SD-WAN gateway. This provides a robust identity layer for the connection. |
| 8 | A | A SOC analyst notices high volumes of traffic routed through a proxy server. Which PRIMARY advantage does a proxy server provide in securing enterprise infrastructure? A. Acts as an intermediary, masking internal client details (Correct): The PRIMARY security advantage of a proxy server is that it acts as an intermediary for client requests (often outgoing internet traffic). The proxy server makes the request to the external resource on the client’s behalf. To the outside world, the connection appears to originate from the proxy’s IP address, not the internal client’s. This process masks internal client details (like their IP address and network topology), providing a critical layer of anonymity and segmentation for the enterprise network. B. Encrypts all communication by default (Incorrect): A proxy server does not inherently or automatically encrypt all traffic. While a secure proxy can enforce the use of HTTPS/TLS, the encryption is ultimately handled by the client and the destination server, not the proxy by default. C. Serves as a hardware-based firewall (Incorrect): While some security proxies can perform filtering functions (like a firewall), a proxy server is fundamentally an application-layer (Layer 7) gateway that deals with specific protocols (like HTTP/HTTPS). A firewall is a network-layer (Layer 3/4) device that controls all types of network traffic based on state and policy. They are distinct components. D. Provides DNS resolution and caching (Incorrect): While some proxies may offer caching for performance, DNS resolution and caching is the primary function of a dedicated DNS server, not a proxy server. Proxies focus on relaying and filtering application traffic. |
| 9 | B | A manufacturing company runs legacy SCADA systems that cannot be patched. Which security control would BEST protect these assets? A. Application allow-listing (Incorrect): Application allow-listing (or whitelisting) prevents unauthorized programs from running on the host. While beneficial, it is a host-based control. Since the legacy SCADA systems are already vulnerable at the operating system or protocol level due to lack of patches, a network-level control (segmentation) provides a more robust external barrier. B. Network segmentation with firewalls (Correct): Since the systems cannot be patched (leaving known vulnerabilities open), the BEST compensatory control is to limit the network access to them. Network segmentation places the SCADA systems on an isolated network zone (often called an Industrial DMZ or a separate VLAN) and uses firewalls to strictly control (and minimize) the protocols, ports, and hosts allowed to communicate with the SCADA assets. This reduces the attack vector by making the vulnerable systems unreachable from the general corporate network or the internet. C. Digital signatures (Incorrect): Digital signatures are used to verify the authenticity and integrity of software, data, or updates. While important for ensuring the SCADA configuration or communication hasn’t been tampered with, it does not prevent an attacker from exploiting a known, unpatched vulnerability. D. Secure boot (Incorrect): Secure boot ensures that a device only loads software trusted by the manufacturer at startup. This is a mechanism to prevent boot-time malware or rootkits. It does not protect against network exploits targeting the operating system or application once the system is already running, which is the risk associated with unpatched systems. |
| 10 | C | During a penetration test, consultants discover that port security is disabled on the company’s switches. What is the MOST likely risk introduced by this misconfiguration? A. Brute-force attacks against user passwords (Incorrect): Brute-force attacks are an application-layer (Layer 7) threat targeting credentials. While an attacker could perform this after gaining access, the lack of port security is an access control failure (Layer 2) that grants them entry, not the mechanism that facilitates the brute-force attack itself. B. Replay attacks on encrypted traffic (Incorrect): Replay attacks are typically mitigated by cryptographic protocols (like TLS) using sequence numbers or timestamps. This risk is unrelated to the physical or logical access control provided by switch port security. C. Unauthorized devices connecting to the network (Correct): Port security is a fundamental Layer 2 (Data Link) security control on a switch. It restricts network access based on the MAC address of the device connected to a specific switch port. When it is disabled, any host can be plugged into an available port, allowing an unauthorized device (e.g., an attacker’s laptop, a rogue server, or a personal device) to gain immediate access to the internal network segment, which is the most direct and likely risk. D. DNS poisoning attacks (Incorrect): DNS poisoning involves manipulating DNS resolution data, an application-layer (Layer 7) attack. The primary failure of disabled port security is at the access control layer (Layer 2), allowing unauthorized devices onto the network. |