CompTIA SY0-701 CompTIA Security+ Exam Dumps and Practice Test Questions Set 1 Q1-15

Visit here for our full CompTIA SY0-701 exam dumps and practice test questions.

Question 1

Which of the following best describes a zero-day vulnerability?

A) A vulnerability that has been publicly disclosed but not patched
B) A vulnerability that is actively exploited and has no existing patch
C) A vulnerability in open-source software only
D) A vulnerability in outdated hardware

Answer: B) A vulnerability that is actively exploited and has no existing patch

Explanation:

A zero-day vulnerability represents one of the most dangerous security concerns in cybersecurity because it is a flaw unknown to the vendor or developer at the time of exploitation. The term “zero-day” refers to the fact that the vendor has had zero days to fix or patch the vulnerability since they are unaware of its existence. This makes zero-day vulnerabilities particularly difficult to defend against because no official fix exists, and attackers can exploit them freely. These vulnerabilities can appear in software, hardware, or firmware and can have catastrophic consequences if leveraged successfully.

The first choice describes a vulnerability that has been publicly disclosed but not patched. While this is a legitimate security concern, it is different from a zero-day vulnerability because the vendor is aware of it. Publicly disclosed vulnerabilities give defenders at least some opportunity to implement workarounds, mitigations, or temporary patches, even if an official patch has not been released yet. Attackers can exploit these vulnerabilities, but the critical difference is that the vendor is aware, and action can be taken. Zero-day vulnerabilities, by contrast, remain unknown to the vendor, which eliminates the ability to proactively defend against the exploit.

The second choice accurately defines a zero-day vulnerability. When a flaw is actively exploited and no patch exists, it qualifies as a zero-day vulnerability. The danger comes from the combination of unknown status and active exploitation. Zero-day vulnerabilities are frequently targeted by cybercriminals, nation-state actors, and sophisticated threat groups because they allow attacks that bypass traditional security defenses like antivirus software, firewalls, and intrusion detection systems. Security professionals mitigate zero-day risks by implementing layered security, behavior-based monitoring, threat intelligence, and rapid incident response strategies. Understanding zero-day vulnerabilities is essential for Security+ candidates because these flaws illustrate the need for proactive defenses and real-time monitoring.

The third choice suggests that zero-day vulnerabilities exist only in open-source software. While open-source software can indeed have zero-day vulnerabilities, the defining feature of zero-day attacks is not the software’s licensing model. Zero-day vulnerabilities can occur in proprietary, commercial, or open-source systems alike. For instance, vulnerabilities discovered in major operating systems, office software suites, and web browsers are often proprietary, yet they can still be exploited before patches are available. Limiting the definition to open-source software is inaccurate and may mislead candidates into thinking proprietary systems are immune, which is not the case.

The fourth choice involves vulnerabilities in outdated hardware. Hardware vulnerabilities can present significant security risks, but a zero-day vulnerability does not depend on the age of the hardware. Even newly released hardware can have zero-day flaws if they are unknown and actively exploited. Conversely, older or outdated hardware may have well-documented vulnerabilities that already have patches or mitigations in place, meaning they do not meet the definition of a zero-day. The critical component of a zero-day vulnerability is the lack of awareness and the absence of an available patch at the time of exploitation, not the age or type of hardware.

In conclusion, the correct answer is the second choice because zero-day vulnerabilities are defined by the combination of active exploitation and the absence of an available patch. The other choices describe situations that, while potentially dangerous, do not meet the strict definition of a zero-day: publicly disclosed but unpatched vulnerabilities, open-source software vulnerabilities, or flaws in outdated hardware. Security+ candidates must understand zero-day vulnerabilities because they illustrate the importance of layered security, threat intelligence, and rapid response. Organizations must deploy proactive monitoring, intrusion prevention systems, network segmentation, and virtual patching to reduce the risk. Zero-day vulnerabilities highlight the ongoing battle between attackers exploiting unknown flaws and defenders working to detect and mitigate them, making this a fundamental concept in cybersecurity strategy.

Question 2

Which access control model uses labels to determine access based on sensitivity?

A) Discretionary Access Control (DAC)
B) Role-Based Access Control (RBAC)
C) Mandatory Access Control (MAC)
D) Attribute-Based Access Control (ABAC)

Answer: C) Mandatory Access Control (MAC)

Explanation:

Mandatory Access Control (MAC) is a strict access control model where access permissions are determined by system-enforced policies using security labels. Each user and object is assigned a label, which may reflect sensitivity levels, such as “Confidential,” “Secret,” or “Top Secret.” The system then enforces access strictly based on these labels, and individual users cannot override the restrictions. MAC is widely used in military, government, and high-security environments because it minimizes the possibility of accidental or malicious access.

The first choice, Discretionary Access Control, allows resource owners to control access permissions at their discretion. While this model is flexible, it lacks the strict enforcement of sensitivity labels. Users can grant access to others, which may result in inconsistent security enforcement. DAC is easier to manage in smaller organizations but is not suitable for environments where rigid classification and compliance requirements exist.

The second choice, Role-Based Access Control, assigns permissions based on a user’s role within an organization. Access is determined by the responsibilities of the role rather than sensitivity labels. RBAC is efficient for large organizations because it simplifies permission management, but it does not enforce mandatory label-based policies. Users with the same role share access rights, but the model does not inherently consider the sensitivity level of each resource.

The fourth choice, Attribute-Based Access Control, evaluates multiple attributes such as user role, time, location, and device to determine access. ABAC is highly flexible and can enforce complex policies dynamically, but it does not rely solely on classification labels. ABAC decisions are based on a combination of attributes, making it distinct from the label-centric MAC model.

The correct answer is MAC because it enforces access based on security labels, ensuring users can only access information for which they have clearance. DAC, RBAC, and ABAC, while useful in various scenarios, do not provide the same level of mandatory enforcement. Security+ candidates must understand MAC to recognize its applications in sensitive environments, its strengths in strict policy enforcement, and its role in protecting classified information. MAC emphasizes the principle of least privilege and the importance of regulatory compliance in information security, making it a critical concept for the exam.

Question 3

Which of the following is a common method for mitigating SQL injection attacks?

A) Input validation and parameterized queries
B) Disabling antivirus software
C) Using default passwords
D) Installing more RAM

Answer:  A) Input validation and parameterized queries

Explanation:

SQL injection attacks occur when attackers insert malicious SQL statements into input fields to manipulate or gain unauthorized access to a database. Mitigation relies on secure coding practices that separate user input from executable SQL commands. Input validation ensures that data meets expected patterns, lengths, and types, preventing malicious code from being processed. Parameterized queries, also known as prepared statements, use placeholders for user input, ensuring that the database treats it as data rather than executable code. Together, input validation and parameterized queries are highly effective in preventing SQL injection.

Disabling antivirus software does not mitigate SQL injection. While antivirus programs protect against malware, SQL injection exploits vulnerabilities in application code and database interaction. Removing antivirus software could increase overall system risk but has no impact on the injection vulnerability.

Using default passwords is a poor security practice but unrelated to SQL injection. Default credentials may allow unauthorized access to systems but do not address the injection of SQL commands into database queries. Proper credential management is critical, but it does not prevent SQL injection attacks.

Installing more RAM improves system performance but does nothing to prevent SQL injection. Memory upgrades cannot influence how input is processed or queries are executed. Security measures must focus on code correctness, input handling, and query design.

The correct answer is input validation and parameterized queries. These methods prevent attackers from altering SQL statements, maintaining data integrity and confidentiality. Security+ candidates must understand SQL injection, common attack vectors, and mitigation strategies to protect applications effectively. SQL injection remains a prevalent attack due to improper input handling, emphasizing the importance of secure development practices.

Question 4

Which protocol is used to encrypt email in transit over the Internet?

A) SMTP
B) S/MIME
C) POP3
D) IMAP

Answer: B) S/MIME

Explanation:

S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard for securing email communication. It provides encryption to protect message confidentiality and digital signatures to ensure integrity and authenticity. Using public key infrastructure, S/MIME encrypts emails so only the intended recipient can decrypt them, protecting sensitive communications from interception or tampering. Organizations often implement S/MIME to secure internal and external email, ensuring compliance with data privacy regulations.

SMTP (Simple Mail Transfer Protocol) is used to send email but does not inherently provide encryption. SMTP can operate with STARTTLS to encrypt traffic in transit, but the protocol itself lacks message-level encryption. Therefore, while SMTP transports email, it does not provide end-to-end encryption as S/MIME does.

POP3 (Post Office Protocol 3) is a protocol for retrieving email from servers. While it may support encryption via SSL/TLS, it does not encrypt the content of the email itself. POP3 focuses on email retrieval rather than securing the message during transit.

IMAP (Internet Message Access Protocol) allows access to email on multiple devices and can synchronize folders. Like POP3, IMAP supports SSL/TLS encryption for secure communication with the mail server but does not inherently encrypt the email content.

The correct answer is S/MIME because it provides both encryption and digital signatures, protecting messages from interception, modification, and impersonation. Security+ candidates should understand email security standards, the difference between transport encryption and message encryption, and the role of PKI in email protection. S/MIME ensures confidentiality, integrity, and authenticity, making it a critical control for secure communications.

Question 5

Which of the following describes the purpose of a honeypot?

A) To capture unauthorized activity and analyze threats
B) To block all network traffic
C) To act as a backup server
D) To encrypt user data

Answer:  A) To capture unauthorized activity and analyze threats

Explanation:

A honeypot is a cybersecurity tool designed to attract attackers and monitor their activities. It acts as a decoy system, appearing vulnerable while collecting information about attack methods, tools, and techniques. Honeypots allow security teams to study attackers’ behavior in a controlled environment, identify new threats, and improve detection and defense strategies. Honeypots are valuable for threat intelligence, research, and incident response planning.

Blocking all network traffic is the function of a firewall or network access control device. Firewalls prevent unauthorized access but do not provide insight into attacker behavior. A honeypot’s primary purpose is observation, not prevention.

Acting as a backup server is unrelated. Backup servers store copies of data for disaster recovery, whereas honeypots are designed to attract attacks. They are intentionally exposed, while backup servers are protected to ensure data integrity.

Encrypting user data protects confidentiality but is unrelated to honeypots. Encryption prevents unauthorized access to sensitive data but does not provide insight into attacker tactics or threat intelligence.

The correct answer is to capture unauthorized activity and analyze threats. Honeypots are proactive security tools used to learn about attack strategies, detect zero-day attacks, and enhance defensive measures. Security+ candidates should understand honeypot deployment, monitoring, and analysis to strengthen overall cybersecurity posture. By simulating vulnerable systems, organizations can gather intelligence while minimizing risk to production systems.

Question 6

Which type of malware restricts access to files and demands a ransom for release?

A) Rootkit
B) Trojan
C) Ransomware
D) Spyware

Answer: C) Ransomware

Explanation:

Ransomware is a type of malicious software designed to deny users access to files, applications, or entire systems until a ransom is paid, often in cryptocurrency. Its primary goal is financial gain through extortion. Typically, ransomware encrypts files using strong encryption algorithms, making them inaccessible without a decryption key held by the attacker. Some ransomware variants also threaten to release sensitive data publicly if payment is not made, further pressuring victims. The growing prevalence of ransomware attacks against individuals, businesses, and government institutions highlights the importance of preventive measures, backup strategies, and incident response planning for cybersecurity professionals.

Rootkits, represented by the first choice, are malicious software designed to conceal other malware or unauthorized activity from detection. Rootkits allow attackers to maintain persistent access to a system while hiding files, processes, or network connections. Although rootkits are dangerous, they do not typically encrypt user files or demand ransom payments, making them fundamentally different from ransomware. Understanding the distinction between rootkits and ransomware is critical because mitigation strategies differ. Rootkits often require deep system analysis and cleaning, whereas ransomware requires robust backup and recovery solutions.

The second choice, Trojan malware, refers to programs disguised as legitimate applications but designed to perform malicious actions when executed. Trojans can deliver various payloads, including ransomware, spyware, or keyloggers. While some ransomware is distributed via Trojans, the Trojan itself is not inherently ransomware. The key difference is that ransomware’s defining feature is the encryption of files coupled with ransom demands, whereas a Trojan is a delivery mechanism for a variety of attacks. Security+ candidates should understand that Trojans are often used to bypass user suspicion and facilitate ransomware infections but are not the same as ransomware in functionality or intent.

Spyware, represented by the fourth choice, is designed to collect information from a system without the user’s knowledge. Spyware may monitor keystrokes, capture browsing activity, or gather sensitive information such as login credentials. While spyware can compromise privacy and security, it does not restrict access to files or demand a ransom. The fundamental difference lies in the purpose: spyware is focused on information theft, whereas ransomware is focused on denial of access and extortion. Understanding the difference between ransomware and spyware is essential for Security+ candidates to implement appropriate detection and response measures.

Ransomware attacks are typically delivered through phishing emails, malicious attachments, drive-by downloads, or compromised websites. Once executed, ransomware can spread laterally across networks, encrypting shared drives, network storage, and critical applications. Defending against ransomware requires multiple strategies: implementing regular and tested backups, employing anti-malware solutions with behavioral detection, training users to recognize phishing attacks, segmenting networks to contain infections, and applying timely patches to mitigate vulnerabilities. Organizations must also develop incident response plans that include ransomware-specific procedures to reduce downtime and prevent data loss.

In conclusion, ransomware is defined by its ability to encrypt files and demand payment for their release. Rootkits, Trojans, and spyware, while harmful, differ in function: rootkits conceal, Trojans deliver malicious payloads, and spyware steals information. Security+ candidates need to understand ransomware’s operational characteristics, delivery methods, and mitigation techniques, as it represents one of the most prevalent and damaging types of malware in modern cybersecurity landscapes. Proper preparation, awareness, and layered defense are essential to reduce risk and respond effectively.

Question 7

Which type of attack involves sending unsolicited messages to multiple victims?

A) Phishing
B) Spam
C) Whaling
D) Vishing

Answer: B) Spam

Explanation:

Spam refers to unsolicited electronic messages, typically sent in bulk to a large number of recipients. Spam messages may serve various purposes, including advertising, scams, or malicious activities such as distributing malware or phishing links. While not inherently dangerous in every instance, spam is often a delivery mechanism for more targeted attacks, such as phishing or malware campaigns. Spam is a widespread issue, affecting both individuals and organizations, leading to productivity loss, network congestion, and increased exposure to security threats. Organizations employ spam filters, email gateways, and user training to reduce the impact of unsolicited messages.

Phishing, represented by the first choice, is a targeted attempt to trick individuals into divulging sensitive information such as credentials or financial data. While phishing emails are sometimes sent in bulk, the defining characteristic of phishing is deception aimed at obtaining sensitive information. Unlike general spam, which may be harmless or simply promotional, phishing messages are malicious and focused on tricking recipients into performing harmful actions. Security+ candidates must understand the difference because phishing represents a direct security threat, whereas spam is often the vehicle for such attacks.

Whaling, the third choice, is a form of phishing that targets high-profile individuals or executives, often called “big fish” in the context of organizational attacks. Whaling attacks are highly tailored, leveraging personal or organizational information to maximize credibility. While whaling uses emails similar to phishing, its defining characteristic is the high-value target and customized messaging, distinguishing it from mass unsolicited spam campaigns.

Vishing, the fourth choice, is phishing conducted via telephone calls rather than electronic messages. Vishing aims to deceive individuals into divulging sensitive information over the phone. Like phishing, vishing is targeted and malicious, but it is not sent to a bulk list of recipients electronically, making it fundamentally different from spam. Understanding vishing, phishing, and spam helps Security+ candidates recognize attack vectors and implement appropriate defensive controls.

Spam is often the first stage in a multi-step attack strategy. Attackers may use spam to distribute malware attachments, phishing links, or redirect users to malicious websites. Modern email security solutions incorporate content analysis, attachment scanning, and behavioral heuristics to block spam and mitigate associated threats. User awareness is critical, as individuals must recognize suspicious messages and avoid engaging with unsolicited content. By understanding spam as a delivery mechanism rather than an inherently malicious attack, Security+ candidates can design policies and defenses to reduce organizational exposure while maintaining operational efficiency.

In conclusion, the correct answer is spam because it represents bulk unsolicited messages sent to multiple recipients. Phishing, whaling, and vishing are more targeted attacks focused on deception and information theft. Security+ candidates must understand spam not only as a nuisance but as a common attack vector for more harmful exploits, emphasizing email security controls, content filtering, and user education to mitigate risk. Spam illustrates the importance of layered email security strategies and proactive threat detection in protecting organizational assets.

Question 8

Which of the following best describes multifactor authentication (MFA)?

A) Authentication using multiple passwords
B) Authentication using at least two different types of factors
C) Authentication using one password
D) Authentication using IP address verification

Answer: B) Authentication using at least two different types of factors

Explanation:

Multifactor authentication (MFA) is a security mechanism that requires users to present two or more distinct forms of authentication before granting access. The three main types of factors are something you know (password or PIN), something you have (security token, smart card), and something you are (biometric data such as fingerprints or iris scans). MFA significantly strengthens security by making it more difficult for attackers to gain unauthorized access, even if one factor is compromised.

The first choice, using multiple passwords, is insufficient for MFA. Although it may involve multiple pieces of knowledge, all factors belong to the same category—something you know. MFA requires factors from at least two different categories to provide meaningful protection against compromise. Multiple passwords alone do not prevent attackers who obtain or guess one of the credentials.

Using a single password, as described in the third choice, is the most basic form of authentication and represents single-factor authentication. This is vulnerable to password theft, brute-force attacks, and phishing. Security professionals advocate MFA because relying solely on a single password is inadequate for protecting sensitive systems and data.

IP address verification, the fourth choice, may be part of a risk-based or contextual access control system, but it is not sufficient alone for multifactor authentication. IP verification can help enforce location-based restrictions but does not constitute an authentication factor in the classical MFA sense. IP address is considered an environmental factor rather than a distinct authentication factor.

The correct answer is MFA using at least two different types of factors. This approach dramatically reduces the likelihood of unauthorized access, even if attackers compromise a single factor. Security+ candidates must understand MFA implementation, benefits, and limitations. Proper MFA implementation protects user accounts, sensitive applications, and high-value data. It is a cornerstone of modern security, especially in enterprise environments, cloud services, and remote access scenarios. Layered defenses, including MFA, strengthen security posture and mitigate risks associated with credential theft, phishing attacks, and identity compromise.

Question 9

Which of the following attacks targets the availability of network services?

A) SQL injection
B) Denial of Service (DoS)
C) Man-in-the-middle
D) Cross-site scripting

Answer: B) Denial of Service (DoS)

Explanation:

A Denial of Service (DoS) attack is a malicious attempt to disrupt the availability of network resources, applications, or services for legitimate users. Attackers achieve this by overwhelming the target system with excessive traffic, consuming resources such as bandwidth, memory, or processing power. DoS attacks may be executed from a single system, but distributed denial of service (DDoS) attacks leverage multiple systems to amplify the impact, making mitigation more complex. Security professionals must deploy network monitoring, intrusion prevention systems, rate-limiting, and redundancy to reduce the risk and impact of DoS attacks.

SQL injection, represented by the first choice, targets data integrity and confidentiality rather than availability. Attackers exploit vulnerable database queries to extract sensitive data, modify records, or escalate privileges. SQL injection can cause some disruption, but its primary purpose is unauthorized data manipulation rather than service denial.

Man-in-the-middle attacks, the third choice, involve intercepting and potentially altering communications between two parties. The goal is to steal credentials, inject malicious content, or spy on communications. While these attacks affect confidentiality and integrity, they do not directly target service availability, distinguishing them from DoS attacks.

Cross-site scripting (XSS), the fourth choice, involves injecting malicious scripts into web applications to compromise user interactions. XSS primarily impacts the confidentiality and integrity of user data, allowing attackers to steal cookies, perform session hijacking, or manipulate the user interface. It does not aim to deny service to users or overwhelm network resources.

The correct answer is Denial of Service (DoS). DoS attacks directly target the availability aspect of the CIA triad, making them critical for Security+ candidates to understand. Proper mitigation includes redundancy, traffic filtering, rate-limiting, network segmentation, and DDoS protection services. Understanding DoS and its distributed variants helps candidates design resilient networks that maintain availability even under attack, a core principle of cybersecurity strategy and best practices.

Question 10

Which device inspects traffic at Layer 7 of the OSI model?

A) Router
B) Firewall
C) Switch
D) Application-layer firewall (proxy)

Answer: D) Application-layer firewall (proxy)

Explanation:

An application-layer firewall, or proxy firewall, operates at Layer 7 of the OSI model. It inspects network traffic based on application-specific data, such as HTTP requests, and can enforce granular security policies. By analyzing payload content, application-layer firewalls can prevent complex attacks like SQL injection, cross-site scripting, and malware delivery, which traditional Layer 3 or 4 firewalls might miss. These firewalls act as intermediaries, intercepting and filtering traffic between clients and servers, making them highly effective for monitoring and controlling application-layer communications.

Routers, represented by the first choice, primarily operate at Layer 3 of the OSI model. They route packets based on IP addresses and perform basic packet filtering but lack the ability to inspect application-layer content. While routers can enforce some access control and quality-of-service policies, they do not provide Layer 7 content inspection.

Firewalls, the second choice, vary in their capabilities. Traditional network firewalls operate at Layers 3 and 4, filtering traffic based on IP addresses, protocols, and ports. While effective for general network security, they cannot inspect or understand the payload content of applications, limiting their ability to prevent application-specific attacks.

Switches, the fourth choice, operate at Layer 2 and manage data frames within a local area network. While switches provide segmentation, traffic forwarding, and some security features like VLANs, they cannot perform deep inspection of Layer 7 traffic or enforce application-specific policies.

The correct answer is an application-layer firewall (proxy). It inspects, filters, and controls traffic based on application content, providing enhanced security and the ability to prevent sophisticated attacks. Security+ candidates must understand the differences between firewall types, the layers at which they operate, and the advantages of Layer 7 inspection. Implementing application-layer firewalls enhances visibility, enforces strict security policies, and reduces the risk of attacks targeting application vulnerabilities, a crucial aspect of modern network security.

Question 11

Which type of backup captures only the data that has changed since the last full backup?

A) Full backup
B) Incremental backup
C) Differential backup
D) Mirror backup

Answer: B) Incremental backup

Explanation:

Incremental backup is a data backup method where only the data that has changed since the last backup of any type, whether full or incremental, is copied. This approach significantly reduces storage requirements and shortens backup times, as only new or modified files are included. Incremental backups are commonly used in enterprise environments where daily full backups are impractical due to the volume of data or time constraints. Restoring data from incremental backups requires the last full backup plus all subsequent incremental backups to reconstruct the complete dataset accurately, which can make recovery more complex compared to other methods.

The first choice, full backup, captures all selected data in its entirety. Full backups are comprehensive, making restoration straightforward because only the most recent full backup is needed. However, they consume substantial storage and take longer to complete. While full backups provide the most complete snapshot of data, performing them frequently can be resource-intensive. Organizations often use full backups periodically in combination with incremental backups to balance storage efficiency and recovery speed.

Differential backup, represented by the third choice, copies all data changed since the last full backup, rather than since the last incremental or differential backup. Differential backups grow larger over time between full backups because they accumulate changes, which can lengthen backup time and consume more storage. However, restoration is simpler than incremental backups, as it requires only the last full backup and the latest differential backup. Differential backups are a compromise between storage efficiency and recovery complexity.

Mirror backup, the fourth choice, creates an exact copy of the source data, often in real time or at scheduled intervals. Mirror backups are useful for immediate recovery and redundancy but typically consume the same storage capacity as the original data. Unlike incremental backups, mirror backups do not track changes over time, making them less efficient for long-term storage and historical recovery scenarios. Mirror backups are more about real-time replication than traditional backup strategies.

Incremental backups are widely used in conjunction with full backups. For example, an organization may perform a weekly full backup followed by daily incremental backups. This strategy reduces storage and backup time while ensuring that all data can be restored, provided all incremental backups are available and intact. Security+ candidates should understand incremental backups because they illustrate concepts of efficiency, recovery strategy, and backup planning. Proper implementation involves scheduling, monitoring, and verifying backup integrity to ensure that critical data is recoverable in case of system failure, malware attacks, or accidental deletion.

In conclusion, incremental backup is defined by its method of copying only data that has changed since the last backup of any type. Full backups, differential backups, and mirror backups have different approaches, storage requirements, and recovery strategies. Security+ candidates must understand these distinctions to design effective data protection and disaster recovery plans, balancing efficiency, reliability, and operational constraints. Incremental backups play a key role in maintaining business continuity and minimizing downtime.

Question 12

Which of the following best describes spear phishing?

A) Mass emails sent to thousands of recipients
B) Targeted phishing aimed at a specific individual or group
C) Social engineering via phone calls
D) Malware that spreads through removable media

Answer: B) Targeted phishing aimed at a specific individual or group

Explanation:

Spear phishing is a highly targeted form of phishing in which attackers craft messages specifically for an individual or group based on detailed information. The goal is to trick recipients into performing actions such as disclosing credentials, transferring funds, or clicking malicious links. Unlike generic phishing campaigns, spear phishing uses research about the target, including organizational roles, personal interests, and recent activities, to increase credibility. Spear phishing attacks are particularly dangerous because they appear legitimate, often bypassing automated email filters and relying on human trust to succeed. Organizations mitigate spear phishing through security awareness training, email filtering, and multi-factor authentication.

The first choice, mass emails sent to thousands of recipients, describes generic phishing or spam campaigns. These are less personalized and rely on volume rather than precision. While some recipients may fall victim, the success rate is lower than spear phishing because the messages are not tailored to the individual. Security+ candidates should understand the distinction because response strategies differ; generic phishing may be mitigated largely through email filtering, whereas spear phishing requires human vigilance and organizational training.

Social engineering via phone calls, or vishing, is represented by the third choice. Vishing involves using phone conversations to manipulate victims into divulging sensitive information. While vishing shares the social engineering element of spear phishing, it differs in medium and is not typically conducted through email. Security professionals must recognize that spear phishing specifically involves highly tailored electronic messages rather than telephone-based attacks.

The fourth choice, malware that spreads through removable media, is a delivery method rather than a phishing attack. While malware may be deployed alongside phishing campaigns, the act of sending a targeted message to manipulate the recipient’s actions is the defining characteristic of spear phishing, not the medium used to deliver malicious software.

Spear phishing is increasingly used in advanced persistent threats (APTs) against executives, financial officers, and critical personnel. By exploiting trust and specific knowledge, attackers maximize the likelihood of success. Defense strategies include verifying email sources, implementing multi-factor authentication, user training, and establishing clear reporting channels for suspicious communications. Security+ candidates must understand spear phishing because it represents a high-risk threat vector, demonstrating how attackers combine social engineering, research, and technical delivery methods.

In conclusion, spear phishing is defined as targeted phishing aimed at specific individuals or groups using tailored messages to increase credibility. Mass emails, vishing, and malware via removable media represent different attack types or delivery methods. Security+ candidates should recognize spear phishing as a sophisticated threat requiring user awareness, multi-layered defenses, and proactive monitoring. Understanding spear phishing highlights the importance of human factors in cybersecurity and the necessity of training and verification procedures to reduce organizational risk.

Question 13

Which wireless security protocol is considered the most secure?

A) WEP
B) WPA
C) WPA2
D) WPA3

Answer: D) WPA3

Explanation:

WPA3 is the latest Wi-Fi security standard, designed to replace WPA2 and provide stronger encryption, improved authentication, and protection against brute-force attacks. It incorporates features such as Simultaneous Authentication of Equals (SAE) for secure password-based authentication, forward secrecy to protect past sessions if credentials are compromised, and enhanced encryption for enterprise networks. WPA3 is considered the most secure protocol currently available for wireless networks, mitigating vulnerabilities found in older standards. Security+ candidates must understand WPA3 because it represents modern best practices in wireless network security.

WEP (Wired Equivalent Privacy), represented by the first choice, is an outdated protocol that provides weak encryption and is highly vulnerable to attacks. Tools to crack WEP are widely available, and it can be compromised in minutes. WEP lacks integrity checks and uses static keys, making it unsuitable for modern wireless security. Organizations are strongly advised to disable WEP entirely.

WPA (Wi-Fi Protected Access), the second choice, improved upon WEP by introducing the Temporal Key Integrity Protocol (TKIP) for dynamic key generation. While it addressed some vulnerabilities, WPA still has weaknesses that can be exploited, particularly with older devices. WPA is largely obsolete today but serves as a historical step toward stronger security protocols.

WPA2, the third choice, became widely adopted due to its use of AES encryption, which offers stronger protection than TKIP. WPA2 is still used today and is relatively secure, though vulnerabilities such as the KRACK attack have highlighted potential weaknesses. WPA2 remains effective, especially when paired with strong passwords and proper configuration, but it lacks the advanced protections of WPA3.

The correct answer is WPA3 because it offers the highest security, mitigating the weaknesses of WEP, WPA, and WPA2. Its improvements make brute-force attacks significantly more difficult and provide better protection for enterprise and personal networks. Security+ candidates should understand WPA3 deployment considerations, backward compatibility, and best practices for securing wireless networks. Implementing WPA3 contributes to confidentiality, integrity, and resilience against modern wireless attacks, reflecting the evolution of network security standards.

Question 14

Which of the following is an example of a preventive control?

A) Security awareness training
B) Intrusion detection system
C) Firewall rules
D) Log review

Answer: C) Firewall rules

Explanation:

Preventive controls are security measures designed to stop security incidents before they occur. They aim to reduce risk by limiting potential attack vectors, restricting access, and enforcing security policies. Firewall rules are a classic example of preventive controls because they define which traffic is allowed or denied, preventing unauthorized access to networks and systems. By proactively controlling access at the network perimeter or between internal segments, firewall rules help enforce organizational security policies and reduce exposure to attacks. Security+ candidates must understand preventive controls because they form the first layer of defense in a comprehensive security strategy.

Security awareness training, the first choice, is primarily an administrative control aimed at influencing user behavior. While it may indirectly prevent attacks by educating users about phishing, social engineering, or safe computing practices, it is not inherently preventive in the technical sense. Training alone does not enforce system-level restrictions or block malicious activity.

An intrusion detection system (IDS), the second choice, is a detective control. It monitors network or system activity for signs of malicious behavior and generates alerts but does not stop attacks in real time. IDS helps identify security incidents after they occur, supporting incident response, forensic analysis, and policy enforcement.

Log review, the fourth choice, is another detective control. By analyzing system, network, or application logs, administrators can detect anomalies, suspicious activity, or attempted attacks. While critical for monitoring and compliance, log review identifies problems after they happen rather than preventing them.

The correct answer is firewall rules, which proactively prevent unauthorized access, enforce policies, and reduce risk exposure. Preventive controls like firewalls, access controls, and secure configurations are foundational in cybersecurity. Security+ candidates should recognize the distinction between preventive and detective controls and understand how layered defenses combine to provide robust protection. Firewall rules exemplify technical preventive measures that block threats before they can impact systems.

Question 15

Which attack involves an attacker intercepting and potentially altering communication between two parties?

A) Man-in-the-middle
B) Brute-force
C) SQL injection
D) Rootkit

Answer:  A) Man-in-the-middle

Explanation:

A man-in-the-middle (MITM) attack occurs when an attacker intercepts communication between two parties without their knowledge. The attacker can eavesdrop, alter messages, inject malicious content, or impersonate one or both parties to steal sensitive information, such as login credentials, financial data, or personal communications. MITM attacks target confidentiality and integrity, bypassing traditional security measures by exploiting weak encryption, unsecured networks, or vulnerable communication protocols. Defense strategies include end-to-end encryption, secure protocols, certificate validation, and network segmentation. Security+ candidates must understand MITM attacks because they demonstrate the risks of unencrypted or poorly secured communication channels.

Brute-force attacks, represented by the second choice, attempt to guess passwords or encryption keys by systematically trying every possible combination. Brute-force attacks target authentication mechanisms rather than intercepting or modifying ongoing communications. While both MITM and brute-force attacks are common, their methods and targets are fundamentally different.

SQL injection, the third choice, exploits vulnerable database queries by inserting malicious code into input fields. SQL injection compromises confidentiality and integrity of data stored in databases but does not involve intercepting communications between two parties. SQL injection attacks typically require exploiting poorly validated input fields rather than observing or modifying transmitted messages.

Rootkits, the fourth choice, are malware designed to conceal unauthorized activity on a system, providing persistent access for attackers. Rootkits affect system integrity and can hide other malware but do not intercept or modify communication between parties. They are focused on persistence and concealment, not on eavesdropping or manipulating network traffic.

The correct answer is a man-in-the-middle attack because it directly involves intercepting, monitoring, or altering communication. Security+ candidates must understand attack vectors, detection methods, and mitigation techniques, including strong encryption, TLS, certificate management, and secure authentication protocols. MITM attacks highlight the importance of protecting data in transit and validating the integrity and authenticity of communications, which are essential for preserving confidentiality and trust in modern networks.