65+ Essential CompTIA Security+ Practice Questions to Conquer the Exam

The IaaS model provides the fundamental computing resources (virtual machines, storage, networking), giving the customer full control over the operating system, applications, and configurations.

An IDS is deployed out-of-band to monitor and alert on suspicious activity (detective control). An IPS is deployed in-line with traffic and can take action to stop a detected threat (preventive control).

A WAF is specifically designed to inspect HTTP traffic and can identify and block malicious SQL queries before they reach the application, serving as a direct mitigation for this vulnerability.

Tokenization replaces sensitive data with a unique, non-sensitive identifier called a token. The original data is stored securely in a separate vault, and the application interacts with the token, which can retain the format of the original data for validation purposes.

Typo squatting, also known as URL hijacking, relies on mistakes such as typos made by internet users when inputting a website address or, in this case, reading an email domain.

Operational controls are human-driven processes put in place to manage technology securely, which includes activities like security awareness training, user access reviews, and log monitoring.

A honeyfile is a fake file placed on a system to attract and detect attackers. When the file is accessed, it triggers an alarm, alerting security personnel to the breach.

Parameterized queries (or prepared statements) ensure that user input is treated as data and not as executable SQL code, which is the fundamental defense against SQL injection.

STP is a Layer 2 protocol that prevents switching loops in a network with redundant paths by logically blocking certain ports to create a loop-free tree topology.

Wi-Fi 6E is an extension of the Wi-Fi 6 standard that adds support for the 6 GHz frequency band, offering more channels, less interference, and higher throughput.

A replay attack involves capturing valid data transmission (like authentication credentials) and re-transmitting it to gain unauthorized access or perform an unauthorized action.

Degaussing uses a strong magnetic field to destroy data on magnetic media like hard disk drives and tapes. It has no effect on flash-based storage like SSDs.

The Authentication Header protocol is designed to provide connectionless integrity, data origin authentication, and protection against replay attacks. It authenticates the entire packet but does not encrypt it.

A rainbow table is a precomputed table for reversing cryptographic hash functions. It allows an attacker to look up a hash and find the corresponding plaintext password, which is much faster than brute-forcing.

Black-box testing is performed with no prior knowledge of the internal workings of the application. The tester interacts with the application as an end-user would, looking for vulnerabilities.

BloodHound uses graph theory to reveal hidden and unintended relationships within an Active Directory environment, allowing testers to easily identify highly complex attack paths.

Pivoting is a technique where an attacker uses a compromised system as a staging point to attack other systems on the same or a different network, effectively bypassing perimeter defenses.

The formula for ALE is SLE multiplied by ARO. The ARO represents how many times the threat is expected to occur in a year.

Non-repudiation provides proof of the origin of data and the integrity of the data. It is typically achieved using digital signatures, which bind a message to a specific sender.

A hot site is a mirror of the production environment, ready for immediate failover. A warm site has the necessary hardware and connectivity but needs software installation, configuration, and data restoration, resulting in a longer recovery time.

A CRL is a list of serial numbers of certificates that have been revoked by the issuing Certificate Authority and should no longer be trusted, for reasons such as key compromise.

UEM platforms evolve from MDM and combine the management of mobile devices and traditional endpoints (desktops, laptops) into a single console, providing a unified approach to security and configuration.

Whaling is a type of spear phishing attack specifically directed at senior executives or other high-profile targets within an organization.

Threat intelligence feeds provide up-to-date information about indicators of compromise (IoCs), such as malicious IP addresses, domains, and file hashes, which can be used to enrich log data and identify malicious activity.

A backout plan (or rollback plan) provides a detailed, documented procedure for reverting a system to its original state if a change fails. Its absence makes recovery from a failed change difficult and slow.

Many IoT devices are sold with no plan for long-term support, have no user-friendly mechanism for patching, or are from vendors that go out of business, leaving them permanently vulnerable to known exploits.

The Spiral model is a risk-driven process model generator. It combines elements of both design and prototyping-in-stages, with a heavy emphasis on risk analysis in each iteration.

Whitelisting (or allow listing) is the practice of specifying an index of approved software applications that are permitted to be present and active on a computer system. It follows a default-deny approach.

Containers virtualize the operating system, allowing multiple isolated user-space instances to run on a single host. They package an application with all of its libraries and configuration files but share the kernel of the host OS.

Change management is a formal process used to ensure that changes to a system are introduced in a controlled and coordinated manner, minimizing negative impact on services.

A Type 1 hypervisor, such as VMware ESXi or Microsoft Hyper-V, is installed directly on the physical server hardware, providing a more efficient and secure virtualization platform.

A baseline is a standardized level of security. The CIS Benchmarks provide well-defined, secure configuration baselines for various operating systems and applications.

bcrypt is a password hashing function specifically designed to be slow and computationally intensive. It incorporates a salt and allows for a configurable cost factor, making it highly resistant to brute-force attacks.

A mantrap is a physical security control with two sets of interlocking doors. Only one person can enter the space between the doors at a time, and they must authenticate before the second door will open, effectively preventing tailgating.

Federation, often using standards like SAML or OpenID Connect, establishes trust between an identity provider (the corporation) and a service provider (the SaaS application) to allow users to authenticate once and access multiple systems.

Official app stores have a review process to scan for malware and enforce security policies. Sideloading bypasses these checks, significantly increasing the risk of installing a malicious application.

Hashing both the source and the copy and verifying that the hashes match proves that the image is an exact, unaltered duplicate of the original evidence, which is a critical step in digital forensics.

This attack vector involves compromising a website to automatically download and execute malware on a visitor’s computer, often by exploiting browser or plug-in vulnerabilities.

The Detect function is defined by the ability to discover cybersecurity events in a timely manner through activities like continuous monitoring and anomaly detection.

A botnet consists of a large number of internet-connected devices, each running one or more bots, which have been co-opted by an attacker to forward transmissions to a target.

An evil twin attack involves setting up a fraudulent Wi-Fi access point that appears to be legitimate, with the goal of tricking users into connecting to it so the attacker can eavesdrop on their communications.

This phase, which includes creating a lessons-learned report, follows the recovery from an incident to improve security posture and response processes for the future.

The ‘.ps1’ file extension is used for scripts written in PowerShell, Microsoft’s task automation and configuration management framework.

A salt is a unique, random value added to each password before it is hashed. This prevents two users with the same password from having the same hash, rendering precomputed rainbow tables ineffective.

Open-Source Intelligence (OSINT) refers to the collection and analysis of data gathered from open sources (overt, publicly available sources) to produce actionable intelligence.

A .ps1 file is a PowerShell script. PowerShell is the modern, powerful scripting language for Windows administration and is well-suited for tasks like managing network drives.

DHCP snooping is a switch feature that inspects DHCP messages, builds a binding table of legitimate clients, and drops messages from untrusted ports that are acting as a DHCP server.

Fileless malware operates in memory and leverages legitimate system tools and processes (like PowerShell or WMI) to execute, avoiding detection by traditional file-based antivirus scanners.

SFTP runs over an SSH session, leveraging its strong encryption and authentication to provide secure file transfer and management capabilities.

A SOAR platform is designed to help security teams manage and respond to alarms by combining security orchestration, automation, and incident response into a single solution.

The correct remediation is to reconfigure the web server software (e.g., Apache, Nginx) to explicitly disable outdated and insecure ciphers and only permit strong, modern ones.

DNSSEC uses digital signatures to ensure that DNS responses are from the authoritative source and have not been tampered with, thus preventing attacks like DNS cache poisoning.

DLP solutions are designed to monitor, detect, and block sensitive data while in use (endpoint actions), in motion (network traffic), and at rest (data storage) based on a central policy.

RAID 6 extends RAID 5 by adding a second independent parity block, allowing it to withstand the failure of two drives simultaneously.

This component is responsible for enabling, monitoring, and terminating connections between a subject and a resource, acting as the agent that enforces the policy engine’s decision.

802.1X is the IEEE standard for port-based Network Access Control and is used in enterprise environments to authenticate users against a central directory, commonly a RADIUS server.

An air gap is a security measure where a secure computer network is physically isolated from unsecured networks to prevent unauthorized access. Data must be transferred using physical media.

Privilege creep (or permission creep) occurs when users accumulate access rights over time as their job roles change, and their old permissions are not revoked. This violates the principle of least privilege.

An APT is typically a well-resourced and highly skilled threat actor, often state-sponsored, that conducts long-term, stealthy, and complex campaigns to achieve a specific objective, such as espionage or data theft.

Fuzzing, or fuzz testing, is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer program to find security loopholes and bugs.

This phase involves actively and passively collecting information about the target to identify potential vulnerabilities. Nmap for port scanning and Recon-ng for OSINT are classic tools for this stage.

Flow data provides metadata about network connections (source/destination IP, ports, traffic volume) without needing to inspect the payload, making it ideal for identifying patterns of communication to a known malicious IP.

An IDS is a detective control because it monitors for and reports on policy violations or malicious activity after it has occurred or as it is occurring, without actively blocking it.

In a serverless model, the cloud provider manages the operating system, patching, and infrastructure, abstracting these layers away and removing that management burden and associated attack surface from the customer.

A SYN flood is a denial-of-service attack where an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic by leaving many half-open connections.

This attack works by sending a frame with two VLAN tags. The first switch strips the outer tag and forwards the frame on the native VLAN, where the second switch then reads the inner tag, allowing the attacker to hop to the target VLAN.

On Debian-based systems such as Ubuntu, /var/log/auth.log is the standard file for recording all authentication-related events, including sudo commands and SSH logins.