CompTIA Security+ Practice Test of the Day 260313

Welcome to today’s CompTIA Security+ practice test!

This practice test uses our new UI!

Today’s practice test is based on Subdomain 3.2 (Given a scenario, apply security principles to secure enterprise infrastructure.) from the CompTIA Security+ SY0-701 objectives.

This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.

These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.

Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.

To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.

CompTIA Security+ Practice Test of the Day 260313

10 questions • Single best answer

Question 1

A network engineer at a regional bank is redesigning the perimeter security architecture after an external audit revealed that internal systems were directly reachable from the internet following a misconfigured firewall rule. Management has mandated that sensitive backend systems — including database servers and application servers — must never be directly accessible from untrusted networks. The engineer proposes placing a buffer zone between the internet-facing systems and the internal network to host public-facing services such as web servers and mail relays. Which network design element BEST addresses this requirement?

A. Deploying a next-generation firewall (NGFW) with deep packet inspection on the internal network segment B. Creating a screened subnet to host publicly accessible services while isolating internal resources C. Implementing a jump server to provide administrators with controlled access to backend systems D. Enabling 802.1X port-based authentication on all internal switches to prevent unauthorized connections

Question 2

A penetration tester contracted by a healthcare organization is assessing the network's boundary devices. During testing, she discovers that one of the organization's firewalls is configured to continue passing traffic on all ports if it experiences a hardware failure. The organization's security policy requires that in the event of a device failure, no traffic should be permitted through until the device is restored or replaced. Which firewall failure mode does the current configuration represent, and which mode does the policy require?

A. The current configuration is fail-closed; the policy requires fail-open B. The current configuration is fail-open; the policy requires fail-closed C. The current configuration is active mode; the policy requires passive mode D. The current configuration is inline mode; the policy requires tap/monitor mode

Question 3

Your organization recently deployed a new web-based customer portal that processes financial transactions. The security team is evaluating which type of firewall or security appliance should be placed in front of the portal to protect against application-layer attacks such as SQL injection, cross-site scripting, and HTTP request smuggling. A traditional stateful firewall is already in place at the network perimeter, but the security team believes additional, targeted protection is needed specifically for the web application. Which appliance BEST meets this requirement?

A. A unified threat management (UTM) device configured with IDS signatures for known malware B. A next-generation firewall (NGFW) operating at Layer 7 to enforce application-aware policies C. A web application firewall (WAF) deployed in front of the customer portal D. A network-based intrusion prevention system (IPS) monitoring traffic on the perimeter segment

Question 4

An analyst in a SOC observes that a recently deployed network sensor is generating alerts for all suspicious traffic passing through a core switch segment, but no traffic is actually being blocked. Upon investigating, the analyst confirms the device has full visibility into the traffic but is configured only to alert and log — it cannot insert itself into the traffic path to drop packets. The security team is debating whether to reconfigure the deployment. Which device attribute BEST describes this sensor's current operational mode?

A. Active and inline, because it is generating alerts in real time B. Passive and tap/monitor, because it observes traffic without being in the forwarding path C. Fail-open, because it is not blocking any traffic during an alert condition D. Inline and fail-closed, because it is connected directly to the switch segment

Question 5

A security administrator at a mid-sized company is hardening remote access for employees working from home. Currently, employees use a standard SSL VPN with username and password only. After reviewing recent threat intelligence indicating credential stuffing attacks targeting the company's VPN gateway, management has approved adding a second authentication factor. The administrator also wants to ensure that the VPN tunnel itself encrypts all data in transit between the remote endpoint and the corporate network using a protocol that supports both authentication and encryption of the entire IP packet. Which combination BEST satisfies both requirements?

A. Implement TLS tunneling for the VPN and add SMS-based one-time passwords as a second factor B. Implement IPSec in tunnel mode and add a hard authentication token as a second factor C. Replace the SSL VPN with SD-WAN and configure SAML-based single sign-on D. Deploy a jump server with certificate-based authentication and configure L2TP without encryption

Question 6

A penetration tester discovers that a company's internal network has a single Windows server acting as a gateway that administrators must connect to before accessing any critical infrastructure — including domain controllers, database servers, and industrial control systems. The server is configured with enhanced logging, session recording, and MFA. All administrative traffic is required to route through this system, and direct RDP or SSH connections to critical assets from workstations are blocked by firewall rules. Which type of network appliance does this server represent?

A. A proxy server, because it forwards requests on behalf of other clients B. A load balancer, because it distributes administrative connections across multiple backend systems C. A jump server, because it serves as a controlled, monitored intermediary for administrative access to sensitive systems D. A honeypot, because it is isolated from the production environment and designed to attract attackers

Question 7

The CISO of a financial institution is reviewing a proposal to deploy a new unified security appliance at the organization's branch offices. The proposal recommends a single device that will combine stateful firewall capabilities, intrusion prevention, antivirus scanning, content filtering, VPN termination, and spam filtering into one platform. The CISO is concerned about both the security benefits and potential risks of this approach compared to deploying individual best-of-breed appliances. Which term BEST describes the proposed single-platform solution, and what is a key architectural risk the CISO should consider?

A. Next-generation firewall (NGFW); the primary risk is that Layer 7 inspection may introduce latency B. Unified threat management (UTM); the primary risk is that it represents a single point of failure for multiple security functions C. Secure access service edge (SASE); the primary risk is cloud dependency for branch connectivity D. Web application firewall (WAF); the primary risk is that it only protects web-facing applications

Question 8

A security architect is designing the network topology for a new enterprise environment. She needs to ensure that administrative access to servers in the data center is tightly controlled. Additionally, she wants the web servers that users access from the internet to be placed in a zone that is accessible from outside the organization but isolated from the internal corporate LAN. She is also planning to implement authentication at the network switch level to prevent any unauthorized device from obtaining network access simply by plugging into a wall jack. Which three technologies, in combination, BEST address all three of these requirements respectively?

A. Jump server; screened subnet; 802.1X B. Proxy server; VLAN segmentation; WPA3 C. IDS sensor; DMZ routing; NAC agent D. Load balancer; firewall ACLs; RADIUS-only authentication

Question 9

An attacker is attempting to gain access to an organization's internal network by exploiting weaknesses in how network devices are placed and connected. After passively enumerating the environment, the attacker identifies that a high-value file server is located on the same network segment as the public-facing web server. She is able to pivot from the compromised web server directly to the file server without traversing any additional firewall or access control boundary. Which security architecture principle was MOST clearly violated in this environment?

A. The principle of least privilege, because the web server had excessive permissions on the file server B. Security zone design and network segmentation, because the web server and file server share the same trust boundary C. The use of a next-generation firewall, because deep packet inspection was not configured on the web server segment D. Physical isolation, because the two servers were not placed in separate data center rooms

Question 10

A cloud security engineer at an enterprise that recently migrated to a hybrid cloud model is evaluating access controls for remote employees. The company has workers connecting from personal home networks, corporate laptops, mobile devices, and occasionally public Wi-Fi hotspots. The security team wants to implement an architecture that applies consistent security policy enforcement at the network edge regardless of where the user is connecting from, integrates identity verification with network access control, and eliminates the need for traditional VPN backhauling of traffic through the corporate data center. Which architecture BEST meets these requirements?

A. Deploy a software-defined wide area network (SD-WAN) with hub-and-spoke topology to all branch locations B. Implement a secure access service edge (SASE) solution that combines network security functions with WAN capabilities delivered from the cloud C. Require all remote users to connect through an IPSec VPN concentrator at the corporate data center before accessing cloud applications D. Configure a next-generation firewall (NGFW) at the corporate perimeter with split tunneling enabled for remote workers

Desk Mat CTA Block

Tired of Googling acronyms while practicing/studying?
Keep them all under your keyboard.

📋 GET_THE_DESK_MAT

Take more CompTIA Security+ practice tests

CompTIA Security+ Practice Test of the Day 260313

ByThe Test Master

Related Post

CompTIA Security+ Practice Test of the Day 260410

CompTIA Security+ Practice Test of the Day 260409

CompTIA Security+ Practice Test of the Day 260408

Leave a Reply Cancel reply

You missed

CEH v13 Domain 7.1 Practice Test 002

CEH v13 Domain 6.1 Practice Test 002

CEH v13 Domain 5.3 Practice Test 002

CEH v13 Domain 5.2 Practice Test 002