This free CompTIA Security+ practice exam covers basic knowledge in the field of Information Systems Security. To pass the CompTIA Security+ exam, a candidate will need knowledge in Network Security, Compliance and operational security, threats and vulnerabilities, access control and identity management, cryptography, and application, data, and host security. This free practice test will test your knowledge and readiness for the CompTIA Security+ Examination.
1) What type of certificate can be used for a list of explicitly given domains, IP addresses or sub domains?
Subject Alternative Name Certificates are public certificates with a list of alternative domains, sub domains and/or IP addresses that can also use the certificate. For example CrucialExams.com, www.CrucialExams.com, api.CrucialExams.com and the IP 4.5.4.5 all in a single cert. Wildcards are a close alternative that supports any sub domain (e.g. *.google.com) but a wildcard could not also be used for gmail.com. To use a single certificate for a sub-domain and entirely different domain a SAN must be used.
This question is filed under objective 6, Cryptography and PKI
Subject Alternative Name (SAN) is an extension to X509 that allows various values to be associated with a security certificate using a subjectAltName field These values are called Subject Alternative Names (SANs) Names include: Email addresses IP addresses URIs DNS names: this is usually also provided as the Common Name RDN within the Subject field of the main certificate Directory names: alternative Distinguished Names to that given in the Subject Other names, given as a General Name or Universal Principal Name: a registered object identifier followed by a value… Read More
2) A new company policy requires hardware encryption for certain highly confidential systems. These existing systems do not already have a hardware component that can provide this functionality. What is the easiest way to implement this new policy?
For existing systems the best option to add additional hardware based encryption functionalities is using a Hardware Security Module (HSM). HSM's are usually stand alone devices that can be used by other systems or expansion cards that can be added. Trusted Platform Module could provide similar functionalities but are permanently embedded into a system, so to use a TPM the systems falling under this new policy would need to be replaced with new hardware that has a TPM.
This question is filed under objective 3, Architecture and Design
Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys … Read More
3) Which of the following is used in PKI for key agreement?
Elliptic Curve Diffie-Hellman (ECDH) is a key exchange protocol used in Public Key Infrastructure (PKI). It allows for establishing shared secrets between two parties.
This question is filed under objective 6, Cryptography and PKI
4) What term defines an operating system that has been verified as having a sufficient level of security based on the Common Criteria for Information Technology Security Evaluation?
The term Trusted Operating System (TOS) refers to an operating system that has been certified to have a certain level of security. The requirement of this certification are defined in the Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC). Many organizations (especially governments) may only use operating systems certified as Trusted OS's.
This question is filed under objective 3, Architecture and Design
Trusted Operating System (TOS) generally refers to an operating system that provides sufficient support for multilevel security and evidence of correctness to meet a particular set of government requirements The most common set of criteria for trusted operating system design is the Common Criteria combined with the Security Functional Requirements (SFRs) for Labeled Security Protection Profile (LSPP) and mandatory access control (MAC) The Common Criteria is the result of a multi-year effort by the governments of the US, Canada, United Kingdom, France, Germany, the Netherlands and other countries to develop a harmonized security criteria for IT products … Read More
5) James is sending an email to Bob. To ensure confidentially James needs to send the email in an encrypted format using PKI. What will James use to encrypt the email so Bob can decrypt it?
In PKI data encrypted using a public key can only be decrypted by the public key's private pair. James needs to send the email so only Bob can decrypt it, so he will use Bob's public key. When Bob gets the email he will use his private key to decrypt it, therefor ensuring confidentiality.
This question is filed under objective 6, Cryptography and PKI
Email encryption is encryption of email messages to protect the content from being read by entities other than the intended recipients Email encryption may also include authentication Email is prone to the disclosure of information Most emails are encrypted during transmission, but are stored in clear text, making them readable by 3rd parties such as your email provider or advertisers By default, popular email services such as Gmail and Outlook do not enable end-to-end encryption By means of some available tools, persons other than the designated recipients can read the email contentsEmail encryption can rely on public-key cryptography, in which users can each publish a public key that others can use to encrypt messages to them, while… Read More
6) Which of the following acronyms refers to a cryptographic hardware component capable of securely storing data like passwords and keys?
Trusted Platform Module (TPM) is a chip embedded into a device's motherboard. TPM's provide a way for the device to securely store certain important artifacts like passwords and cryptographic keys.
This question is filed under objective 3, Architecture and Design
Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys … Read More
7) What term refers to a holistic approach to IT security including diversification of vendors, controls (both administrative and technical) and user training?
Defense-in-depth is a concept that covers security from many different angles. The idea is to apply security measures wherever possible including physical controls like fences, technical controls like firewalls and administrative concepts like policies and user training. Defense-in-depth is a concept meant to ensure all possible security measures are taken into account.
This question is filed under objective 3, Architecture and Design
Defense in depth is a concept used in Information security in which multiple layers of security controls (defense) are placed throughout an information technology (IT) system Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited that can cover aspects of personnel, procedural, technical and physical security for the duration of the system's life cycle … Read More
8) Which of the following options is a protocol used to check if a certificate has been revoked?
Online Certificate Status Protocol (OCSP) is used for obtaining the status of X.509 digital certs.
This question is filed under objective 6, Cryptography and PKI
The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X509 digital certificate It is described in RFC 6960 and is on the Internet standards track It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI) Messages communicated via OCSP are encoded in ASN1 and are usually communicated over HTTP The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders Some web browsers use OCSP to validate HTTPS certificates … Read More
9) A junior security professional on your team is trying to export a public certificate and share it with a colleague outside of the IT department. They ask you if they should use a CER or PFX format. Which format should be used?
It is okay to share a public certificate stored in a .CER file. However a .PFX file (called a PKCS 12 archive) because it also includes the private key which should never be shared!
This question is filed under objective 6, Cryptography and PKI
In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file It is commonly used to bundle a private key with its X509 certificate or to bundle all the members of a chain of trust A PKCS #12 file may be encrypted and signed The internal storage containers, called "SafeBags", may also be encrypted and signed A few SafeBags are predefined to store certificates, private keys and CRLs Another SafeBag is provided to store any other data at individual implementer's choicePKCS #12 is one of the family of standards called Public-Key Cryptography Standards (PKCS) published by RSA Laboratories… Read More
10) Your employer has always been very security conscious and to date does not use an company owned mobile or wireless devices like laptops and smart phones. A new project aims to evaluate options on the market for security implementing laptops within the company. One requirement is that all data stored on the laptop's drive must be encrypted. What type of drive could fulfill this requirement?
A Self Encrypting Drive (SED) is a type of hard drive that automatically encrypted all data saved to the disk. It is a hardware based encryption meaning that a circuit built in the disk drive controller handles the encrypted/decryption itself. All contents of the drive are encrypted including the operating system and any user files or documents.
This question is filed under objective 3, Architecture and Design
11) What type of public certificate can be used with multiple sub-domains?
A wildcard domain applies to the domain and any subdomains. For example a certificate for *.google.com could be used on mail.google.com, photos.google.com, etc. This way it is not necessary to create and manage individual certificates for all of these sub domains.
This question is filed under objective 6, Cryptography and PKI
In computer networking, a wildcard certificate is a public key certificate which can be used with multiple sub-domains of a domain The principal use is for securing web sites with HTTPS, but there are also applications in many other fields Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each sub-domain Multi-domain wildcard certificates further simplify the complexity and reduce costs by securing multiple domain and their sub-domains … Read More
12) You have joined a new enterprise as a member of the IT Security team. During on boarding you receive two computers, one with access to highly confidential systems and one with access to less critical data and the internet. You cannot send data or documents from one network to the other and have to manage separate credentials for each. What concept best defines this approach?
This setup is best known as an air gap. In network an air gap means two or more networks are physically separated from each other to ensure no data can traverse from one to the other. Generally if a network is so critical it requires an air gap it will be a completely stand alone network with no access to other networks and especially the internet. A true air gap is not common in most businesses, but some known examples are government or military networks, highly critical infrastructure networks like nuclear power plant controls and financial systems like stock exchanges.
This question is filed under objective 3, Architecture and Design
An air gap, air wall or air gapping is a network security measure employed on one or more computers to ensure that a secure computer network is physically isolated from unsecured networks, such as the public Internet or an unsecured local area network It means a computer or network has no network interfaces connected to other networks, with a physical or conceptual air gap, analogous to the air gap used in plumbing to maintain water quality … Read More
13) What improvements does a VLAN offer for network security?
A Virtual Local Area Network (VLAN) provides a logical or virtual way to separate areas of a network. This means devices can physically share the same network infrastructure (e.g. using a common switch) but remain separated from each other on the network.
This question is filed under objective 3, Architecture and Design
A virtual LAN (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2) LAN is the abbreviation for local area network and in this context virtual refers to a physical object recreated and altered by additional logic VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed… Read More
14) How many rounds does 3DES perform when encrypting data?
3DES or Triple DES applies the DES algorithm three times. DES uses 16 rounds so we can conclude that 3 DES performs 48 (3 * 16 = 48)
This question is filed under objective 6, Cryptography and PKI
In cryptography, Triple DES (3DES or TDES), officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the DES cipher algorithm three times to each data block The Data Encryption Standard's (DES) 56-bit key is no longer considered adequate in the face of modern cryptanalytic techniques and supercomputing power However, an adapted version of DES, Triple DES (3DES), uses the same algorithm to produce a more secure encryption While the government and industry standards abbreviate the algorithm's name as TDES (Triple DES) and TDEA (Triple Data Encryption Algorithm), RFC 1851 referred to it as 3DES from the time it first promulgated the idea, and this namesake has since come into wide use… Read More
15) Out of the following algorithms, which is a symmetric-key algorithm?
Data Encryption Standard (DES) is a symmetric-key algorithm used for encryption. RSA, PGP/GPG and DSA are all asymmetric.
This question is filed under objective 6, Cryptography and PKI
The Data Encryption Standard (DES ) is a symmetric-key algorithm for the encryption of digital data Although its short key length of 56 bits makes it too insecure for modern applications, it has been highly influential in the advancement of cryptography Developed in the early 1970s at IBM and based on an earlier design by Horst Feistel, the algorithm was submitted to the National Bureau of Standards (NBS) following the agency's invitation to propose a candidate for the protection of sensitive, unclassified electronic government data In 1976, after consultation with the National Security Agency (NSA), the NBS selected a slightly modified version (strengthened against differential cryptanalysis, but weakened against brute-force attacks),… Read More
16) Your employer has asked your team to define and implement a new network area that will be accessible to authorized 3rd party companies through a dedicated WAN connection. A critical requirement is that access to this new network area should not also allow network access to the companies internal network and systems. What type of network best defines this setup?
This type of network setup is called an Extranet. An extranet is a private network that allows access to certain authorized parties. Most commonly this would be to share systems like a file server between two companies that have created a long-term partnership.
This question is filed under objective 3, Architecture and Design
An extranet is a controlled private network that allows access to partners, vendors and suppliers or an authorized set of customers – normally to a subset of the information accessible from an organization's intranet An extranet is similar to a DMZ in that it provides access to needed services for authorized parties, without granting access to an organization's entire network Historically, the term was occasionally also used in the sense of two organizations sharing their internal networks over a virtual private network (VPN)… Read More
17) Which term best applies to the following statement: Plain text data is converted to an unreadable format that cannot be converted back into it's original format
Using a Hash or Hashing data converts information using a one way function. This means it cannot be converted back into it's original format. This is ideal for storing things like passwords so even if the list of hashed passwords is lost they cannot be easily "decrypted."
This question is filed under objective 6, Cryptography and PKI
A cryptographic hash function (CHF) is a hash function that is suitable for use in cryptography It is a mathematical algorithm that maps data of arbitrary size (often called the "message") to a bit array of a fixed size (the "hash value", "hash", or "message digest") and is a one-way function, that is, a function which is practically infeasible to invert Ideally, the only way to find a message that produces a given hash is to attempt a brute-force search of possible inputs to see if they produce a match, or use a rainbow table of matched hashes Cryptographic hash functions are a basic tool of modern cryptography… Read More
18) You work as a freelance security consultant. You are now working for a large government and have been contracted to create a stand-alone system that should attract malicious activity. The system should mimic an existing productive system but with fake non-sensitive data. The activity in this new system should be recorded so security analysts can review and identify patterns in the malicious activity. What best defines this type of system?
This type of system is called a honeypot or honeynet. A honeypot is a system created specifically to attract hackers and act as a decoy system. Most likely it will have some obvious vulnerability like a misconfigured proxy or firewall to attract attackers. You can think of it as the digital equivalent of a string operation. By creating an easy target you can avoid attacks on the productive network and also learn what types of vulnerabilities and attack types exist in the honeypot/net to better protect the productive network.
This question is filed under objective 3, Architecture and Design
In computer terminology, a honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems Generally, a honeypot consists of data (for example, in a network site) that appears to be a legitimate part of the site that seems to contain information or a resource of value to attackers, but actually, is isolated and monitored and, enables blocking or analyzing the attackers This is similar to police sting operations, colloquially known as "baiting" a suspect… Read More
19) What is the name of the process used to digitally sign executables?
Code signing can be used to digitally sign a program's executable or script files. This allows the person/computer running the application or script to verify it's authenticity as well as ensuring it has not been altered since the developer created it.
This question is filed under objective 6, Cryptography and PKI
Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed The process employs the use of a cryptographic hash to validate authenticity and integrityCode signing can provide several valuable features The most common use of code signing is to provide security when deploying in some programming languages, it can also be used to help prevent namespace conflicts Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified… Read More
20) You are responsible for network security within your employer's network architecture team. Your team is implementing a new network that can allow unauthenticated WiFi users access to the internet without allowing them access to any internal systems. What type of WiFi network is this?
This type of WiFi network is called Guest WiFi. Guest WiFi's are intended for external users like subcontractors or 3rd party partners. It could also be permitted for employees personnel devices. In some cases the Guest WiFi may also allow restricted access to internal resources, but this needs to be properly secured to ensure access is limited as much as possible.
This question is filed under objective 3, Architecture and Design
You can go back and review your answers or grade your test.