Can you answer these Security+ Practice Test Questions?
This page includes six free Security+ practice test questions, one from each of the six domains in the Security+ SY0-501 exam. Click here for another set of six practice test questions when you’re done.
Security+ Practice Test Questions
These practice test questions came from the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide. The Study Guide includes full explanations of all the objectives and includes over 300 realistic practice test questions.
Security+ Practice Test Question 1
Q. Lisa recently developed an application for the Human Resources Personnel use this application to store and manage employee data, including PII. She programmed in the ability to access this application with a username and password that only she knows, so that she can perform remote maintenance on the application if necessary. Which of the following does this describe?
A. Virus
B. Worm
C. Backdoor
D. Trojan
Answer below.
Security+ Practice Test Question 2
Q. Lisa is a database administrator and received a phone call from someone identifying himself as a technician working with a known hardware vendor. The technician said he’s aware of a problem with database servers they’ve sold, but it only affects certain operating system versions. He asks Lisa what operating system the company is running on their database servers. Which of the following choices is the BEST response from Lisa?
A. Let the caller know what operating system and versions are running on the database servers to determine if any further action is
B. Thank the caller and end the call, report the call to her supervisor, and independently check the vendor for issues.
C. Ask the caller for his phone number so that she can call him back after checking the servers.
D. Contact law enforcement
Answer below.
Pass the Security+ SY0-501 exam the first time you take it
CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide
Security+ Practice Test Question 3
Q. Your organization recently purchased a sophisticated security appliance that includes a DDoS Where should you place this device?
A. Within the DMZ
B. At the border of the network, between the intranet and the DMZ
C. At the border of the network, between the private network and the Internet
D. In the internal network
Answer below.
Security+ Practice Test Question 4
Q. Developers in your organization have created an application designed for the sales team. Salespeople can log on to the application using a simple password of 1234. However, this password does not meet the organization’s password policy. Which of the following is the BEST response by the security administrator after learning about this?
A. Strong passwords aren’t required in applications.
B. Modify the security policy to accept this password.
C. Document this as an exception in the application’s
D. Direct the application team manager to ensure the application adheres to the organization’s password policy.
Answer below.
Security+ Practice Test Question 5
Q. Management within your organization wants to ensure that users understand the rules of behavior when they access the organization’s computer systems and networks. Which of the following BEST describes what they would implement to meet this requirement?
A. AUP
B. NDA
C. BYOD
D. DD
Answer below.
Security+ Practice Test Question 6
Q. A one-way function converts data into a string of characters. It is not possible to convert this string of characters back to the original state. What type of function is this?
A. Symmetric encryption
B. Asymmetric encryption
C. Stream cipher
D. Hashing
Answer below.
Answers to Practice Test Questions
Answer to Question 1
Q. Lisa recently developed an application for the Human Resources Personnel use this application to store and manage employee data, including PII. She programmed in the ability to access this application with a username and password that only she knows, so that she can perform remote maintenance on the application if necessary. Which of the following does this describe?
A. Virus
B. Worm
C. Backdoor
D. Trojan
Ans: C is correct. A backdoor provides someone an alternative way of accessing a system or application, which is exactly what Lisa created in this scenario. It might seem as though she’s doing so with good intentions, but if attackers discover a backdoor, they can exploit
A is incorrect. A virus is malicious code that attaches itself to an application and executes when the application runs, not code that is purposely written into the application.
B is incorrect. A worm is self-replicating malware that travels throughout a network without the assistance of a host application or user interaction.
D is incorrect. A Trojan is software that looks like it has a beneficial purpose but includes a malicious component.
Objective: 1.1 Given a scenario, analyze indicators of compromise and determine the type of malware.
Check out this blog post to learn more.
Answer to Question 2
Q. Lisa is a database administrator and received a phone call from someone identifying himself as a technician working with a known hardware vendor. The technician said he’s aware of a problem with database servers they’ve sold, but it only affects certain operating system versions. He asks Lisa what operating system the company is running on their database servers. Which of the following choices is the BEST response from Lisa?
A. Let the caller know what operating system and versions are running on the database servers to determine if any further action is
B. Thank the caller and end the call, report the call to her supervisor, and independently check the vendor for issues.
C. Ask the caller for his phone number so that she can call him back after checking the servers.
D. Contact law enforcement
Ans. B is correct. This sounds like a social engineering attack where the caller Is attempting to get information on the servers, so it’s appropriate to end the call, report the call to a supervisor, and independently check the vendor for potential
A is incorrect. It is not appropriate to give external personnel information on internal systems from a single phone call.
C is incorrect. It isn’t necessary to ask for a phone number because you wouldn’t call back and give information on the servers.
D is incorrect. The caller has not committed a crime by asking questions, so it is not appropriate to contact law enforcement personnel.
Objective: 2.3 Given a scenario, troubleshoot common security issues.
Check out this post to learn more.
Answer to Question 3
Q. Your organization recently purchased a sophisticated security appliance that includes a DDoS Where should you place this device?
A. Within the DMZ
B. At the border of the network, between the intranet and the DMZ
C. At the border of the network, between the private network and the Internet
D. In the internal network
Ans. C is correct. A distributed denial-of-service (DDoS) mitigator attempts to block DDoS attacks and should be placed at the border of the network, between the private network and the Internet.
A is incorrect. If the network includes a demilitarized zone (DMZ), the appliance should be placed at the border of the DMZ and the Internet.
B and D are incorrect. Placing it in the DMZ or the internal network doesn’t ensure it will block incoming traffic.
Objective: 3.2 Given a scenario, implement secure network architecture concepts.
Check out this post to learn more.
Answer to Question 4
Q. Developers in your organization have created an application designed for the sales team. Salespeople can log on to the application using a simple password of 1234. However, this password does not meet the organization’s password policy. Which of the following is the BEST response by the security administrator after learning about this?
A. Strong passwords aren’t required in applications.
B. Modify the security policy to accept this password.
C. Document this as an exception in the application’s
D. Direct the application team manager to ensure the application adheres to the organization’s password policy.
Ans. D is correct. The application should be recoded to adhere to the company’s password policy, so the best response is to direct the application team manager to do so.
A is incorrect. Application passwords should be strong and should adhere to an organization’s security policy.
B is incorrect. It is not appropriate to weaken a security policy to match a weakness in an application.
C is incorrect. Nor is it appropriate to simply document that the application uses a weak password.
Objective: 4.4 Given a scenario, differentiate common account management practices.
Check out this post to learn more.
Answer to Question 5
Q. Management within your organization wants to ensure that users understand the rules of behavior when they access the organization’s computer systems and networks. Which of the following BEST describes what they would implement to meet this requirement?
A. AUP
B. NDA
C. BYOD
D. DD
Ans. A is correct. An acceptable use policy (AUP) informs users of company expectations when they use computer systems and networks, and it defines acceptable rules of behavior.
B is incorrect. A non- disclosure agreement (NDA) ensures that individuals do not share proprietary data with others.
C is incorrect. A bring your own device (BYOD) policy identifies requirements for employee- owned mobile devices.
D is incorrect. The dd command (short for data duplicator) is available on Linux systems to copy files or entire disk images. Forensic analysts use it to create an image of a disk without modifying the original
Objective: 5.1 Explain the importance of policies, plans and procedures related to organizational security.
Check out this post to learn more.
Answer to Question 6
Q. A one-way function converts data into a string of characters. It is not possible to convert this string of characters back to the original state. What type of function is this?
A. Symmetric encryption
B. Asymmetric encryption
C. Stream cipher
D. Hashing
Ans. D is correct. A hash function creates a string of characters (typically displayed in hexadecimal) when executed against a file or message, and hashing functions cannot be reversed to re-create the original data.
A, B, C are incorrect. Encryption algorithms (including symmetric encryption, asymmetric encryption, and stream ciphers) create ciphertext from plaintext data, but they include decryption algorithms to re-create the original data.
Objective: 6.1 Compare and contrast basic concepts of cryptography.
Check out this post to learn more.
“Q. Of the following choices, what is the best choice for a device to filter and cache content from web pages?
A. Web security gateway
B. VPN concentrator
C. Proxy server
D. MAC filtering”
I feel like the answer to this question is both A and C. I am happy to accept that the best choice for web page caching is a proxy server, however the best choice to filter website content is most certainly a web security gateway. Keyword: filtering. Both options are capable of doing filtering and caching, where A is better at filtering and D is better at caching. In the same way that some web gateways are incapable or performing web caching, some proxy servers are also incapable of filtering.
Thanks for the feedback. You’re correct.
What I’ve seen is that web security gateways didn’t originally have caching though it has been added as a feature in many web security gateways. I still don’t see it as a universal feature in all web security gateways though all proxy servers include both filtering and caching. With that in mind, it could be argued that proxy server is the BEST answer.
Still, the intent of the question isn’t meant to include two possible correct answers.
I changed the web security gateway answer to web server to eliminate the subtlety.
As an FYI, CompTIA seems to be using the term unified threat management (UTM) more than web security gateways these days. For example, the newest version of the CASP exam eliminates Web Security Gateways but include UTMs.
Thanks again for the feedback.
If a question states, “Sally encrypted a project file with her public key. Later, an administrator accidentally deleted her account that had exclusive access to her private key. Can this project file be retrieved?” — is it not safe to assume that “exclusive access to there private key” means no one else can access it apart from that account?
The correct answer here seems to assume that “a recovery agent can recover keys that are placed in escrow” — but that contradicts the original statement in the question. What’s the best strategy for handling clumsily/inaccurately worded questions like this? I suspect there will be a few on the CompTIA test.
Thanks.
Kit, this is an example of “pick the best answer.” Also, the explanation provides a broader view of the topic. Let me explain.
> is it not safe to assume that “exclusive access to there private key” means
> no one else can access it apart from that account?
exclusive access to there private key
You can assume that the no one else can access the private key if the user had exclusive access.
However, a recovery agent can decrypt the file by using a special recovery agent key. As an example, Microsoft NTFS encryption often encrypts files but embeds both the user’s key and the recovery agent’s key within the file so that either the user or the recovery agent can decrypt the file. That’s why D is correct.
The explanation gives a broader explanation of the recovery agent.
If an organization uses a recovery agent, the recovery agent can decrypt the file,
– in some cases by recovering a copy of the private key,
– and in other cases by using a special recovery agent key.
On the actual exam, I recommend looking for the best answer and looking for subtleties in the question.
One of the things I often repeat is that ideally, you should be able to look at any question and know why the correct answer is correct and why the incorrect answers are incorrect. This way, no matter how CompTIA words the questions, you’ll be able to answer them correctly. My intention with the explanations in questions I write is to help you understand the correct answer is correct and why the incorrect answers are incorrect.
Hope this helps.
You can think of key escrow as the process of putting the private key in a safe environment. The purpose is to ensure that it is available for recovery, but placing the key into escrow doesn’t recover it.
A recovery agent is a designated individual that can recover keys or data For example, a recovery agent can recover keys that are placed in escrow. In Microsoft systems, a recovery agent can recover data using a recovery agent key if the original key is lost.
Hope this helps.
What is the difference between a key escrow and a recovery agent, both recover private keys