CompTIA Security+ SY0-501 (Practice Test)

CompTIA+ Security+ is a vendor neutral IT industry certification for security. It is an entry level certificate for the subject of IT security and is recommended to be the first security focused certificate an IT professional should learn. Security+ will establish core knowledge that would be required for any cyber-security role by covering essential skills in the areas of Threats, Attacks & Vulnerabilities, Technologies & Tools, Architecture & Design, Identity & Access Management, Risk Management & Cryptography and PKI.

  • Questions: 20
  • Time: 60 seconds per question (0 hours, 20 minutes, 0 seconds)
  • Included Objectives:
    • Threats, Attacks and Vulnerabilities
    • Technologies and Tools
    • Architecture and Design
    • Identity and Access Management
    • Risk Management
    • Cryptography and PKI

Which regulation in the United States would apply to a healthcare organization and require they protect the confidentially of patient data?

  • GDPR
  • EU Privacy Shield
  • HDPA

What type of NIDS commonly uses artificial intelligence and data mining to identify malicious network traffic?

  • Filter-based NIDS
  • Signature-based NIDS
  • Rule-based NIDS
  • Anomaly-based NIDS

Which term best applies to the following statement: Plain text data is converted to an unreadable format that cannot be converted back into it's original format

  • Codebook
  • Asymmetric Encryption
  • Encryption
  • Hashing

Which option best describes the following situation: An attacker has intercepted network packets between a browser and web server. The attack then re-transmits the intercepted data to the web server hoping the server will respond with useful information (e.g. a session id, credit card information, etc.).

  • Bluejacking
  • Replay
  • Cross-site scripting
  • Injection

What type of public certificate can be used with multiple sub-domains?

  • Wildcard
  • Multipurpose
  • Domain validated certificate
  • Self-signed

A large chemical company will soon be legally required to offer phone support for customers to contact in the event of a chemical spill or other similar issue. The new law requires the company be available 24/7, 365 days a year or large fines will be levied against the company. You have been contracted to ensure a power outage does not prevent the help desk from being available to callers. You have been given the requirement that all electronic equipment (desktops, servers, network equipment, phones, etc.) must operate for up to 24 hours without interruption during a power outage. Which of the following options would best meet requirement?

  • Line-Interactive UPS
  • Online UPS
  • Generator
  • Emergency power supply

What term refers to a holistic approach to IT security including diversification of vendors, controls (both administrative and technical) and user training?

  • Holistic IA
  • Defense-in-depth
  • DMZ
  • Regulatory standard framework

What term defines an operating system that has been verified as having a sufficient level of security based on the Common Criteria for Information Technology Security Evaluation?

  • Protection Profiled Operating System (PPOS)
  • Certified Secure Operating System (CSOS)
  • Trusted Operating System (TOS)
  • SFRs

You are conducting a penetration test on a web application recently purchased by the HR department of your employer. You find that when creating a new user account in the Web UI you can delete data from the database by entering '; DROP TABLE Users' into the field for the user account. What type of vulnerability have you discovered?

  • SQL injection
  • XML Injection
  • Drop database vulnerability
  • Request forgery

How many rounds does 3DES perform when encrypting data?

  • 48
  • 8
  • 16
  • 32

Which of the following is used in PKI for key agreement?

  • RSA
  • CTR
  • HMAC
  • ECDH

You are an IT specialist on the Network Security team of a large enterprise. You have been tasked to implement a wireless network to be used by employees in the corporate headquarters. Your employer is very security conscious and instructs you to use the best possible encryption protocol available. What 802.11 protocol would you use to fulfill this requirement?

  • SSH
  • WIFI-S
  • WPA
  • WPA2

Your employer has always been very security conscious and to date does not use an company owned mobile or wireless devices like laptops and smart phones. A new project aims to evaluate options on the market for security implementing laptops within the company. One requirement is that all data stored on the laptop's drive must be encrypted. What type of drive could fulfill this requirement?

  • SED
  • VPN
  • RAID 0

You are responsible for application security for a small startup. You are responsible for conducting regular penetration tests. Recently the startup has faced some budget issues and lacks the funds to create a stand alone system to be used for vulnerability scanning applications. Due to this constraint you must conduct vulnerability scans on the live system (the same one being used by customers). What type of scan should be used to ensure vulnerabilities are found but not executed?

  • non-intrusive
  • intrusive
  • non-credentialed
  • credentialed

A smaller online retailer is experiencing huge numbers of requests on their websites. They are not running any major marketing campaigns and while seeing a lot of traffic are not seeing a rise in sales or logins. Eventually their web servers become overloaded and users are unable to load pages on the website. What type of attack most likely occurred?

  • Jamming
  • Replay
  • Overflood
  • DDOS

You are responsible for network security within your employer's network architecture team. Your team is implementing a new network that can allow unauthenticated WiFi users access to the internet without allowing them access to any internal systems. What type of WiFi network is this?

  • DMZ
  • Extranet
  • Guest
  • NAT

What type of DOS attack sends a large number of new TCP requests to a server in order to overwhelm it with unused open sessions?

  • SYN Flood
  • Spanning tree
  • DDoS
  • Session hijacking

You work as a freelance security consultant. You are now working for a large government and have been contracted to create a stand-alone system that should attract malicious activity. The system should mimic an existing productive system but with fake non-sensitive data. The activity in this new system should be recorded so security analysts can review and identify patterns in the malicious activity. What best defines this type of system?

  • DDoS Mitigator
  • Ad hoc target
  • Honeynet
  • DMZ

Which of the following options is a vendor neutral standard for message logging?

  • syslog
  • Event manager
  • SIEM
  • SNMP

Your employer allows BYOD because the companies software landscape is entirely based on SaaS applications on the internet. Recently an employee's various accounts were accessed by a hacker. The user tells you they had different passwords for all of the applications. No one else has reported similar issues. After helping the user conduct a malware scan on their personnel device you find that they have malware that records input given to the PC by the user. What option best describes the type of malware found?

  • Keylogger
  • Virus
  • Worm
  • RAT