CompTIA SY0-701 CompTIA Security+ Exam Dumps and Practice Test Questions Set 3 Q31-45

Visit here for our full CompTIA SY0-701 exam dumps and practice test questions.

Question 31

Which type of malware is designed to demand payment to restore access to data or systems?

A) Ransomware
B) Trojan
C) Worm
D) Adware

Answer:  A) Ransomware

Explanation:

Ransomware is a type of malware that encrypts files or locks systems, making them inaccessible until a ransom is paid to the attacker. The primary goal of ransomware is financial gain. Attackers often demand payment in cryptocurrency to make tracing difficult. Ransomware spreads through phishing emails, malicious downloads, and drive-by attacks, often exploiting human error or outdated systems. Once executed, it can encrypt individual files, entire drives, or network shares. Recovery without paying the ransom typically requires backups, incident response plans, or decryption tools if available. Security+ candidates must understand ransomware because it demonstrates the importance of backups, patch management, endpoint protection, and user training.

Trojans, represented by the second choice, disguise themselves as legitimate software to trick users into executing them. While Trojans can carry ransomware payloads, they are not inherently designed to demand payment. Trojans focus on providing attackers access or control, whereas ransomware’s defining feature is extortion.

Worms, the third choice, are self-replicating malware that spread across networks. Worms can carry ransomware, but their primary purpose is propagation rather than extortion. Worms exploit vulnerabilities to move from system to system, sometimes delivering additional payloads like Trojans or ransomware.

Adware, the fourth choice, displays unwanted advertisements and may collect user data. Adware can be intrusive, but it does not encrypt files or demand payment. Its primary effect is on user experience and privacy rather than system functionality or financial gain.

The correct answer is ransomware because it is specifically designed to extort money by denying access to systems or data. Mitigation includes regular backups, patching, endpoint security, network segmentation, and user education. Security+ candidates should understand ransomware delivery methods, detection techniques, and recovery strategies to minimize financial and operational impact from such attacks.

Question 32

Which of the following is a common form of multi-factor authentication?

A) Password and fingerprint
B) Password only
C) Security question only
D) Single-use token only

Answer:  A) Password and fingerprint

Explanation:

Multi-factor authentication (MFA) combines two or more authentication factors to increase security. A common implementation involves something the user knows, such as a password, and something the user has or is, such as a fingerprint or token. Using multiple factors ensures that even if one factor is compromised, unauthorized access is more difficult. MFA is widely recommended for protecting sensitive systems, accounts, and network access. Security+ candidates must understand MFA, as it is a critical method for reducing risk associated with credential compromise.

Password only, represented by the second choice, is single-factor authentication. While passwords are essential, relying on knowledge alone is vulnerable to phishing, brute-force attacks, and password reuse. MFA strengthens authentication by requiring additional factors beyond passwords.

Security question only, the third choice, also represents a single-factor approach. While knowledge-based authentication can supplement security, it is easily guessed, socially engineered, or discovered through public information. It cannot replace a second factor in robust authentication practices.

Single-use token only, the fourth choice, relies on possession for authentication but is still considered a single factor if not combined with something the user knows or is. While single-use tokens increase security compared to static passwords, combining them with another factor provides more comprehensive protection.

The correct answer is password and fingerprint because combining a knowledge factor with a biometric factor strengthens security. Security+ candidates should understand the different types of authentication factors—knowledge, possession, and inherence—and how they can be combined to reduce risk, prevent unauthorized access, and comply with best practices and regulatory requirements. Implementing MFA is considered one of the most effective preventive security controls.

Question 33

Which of the following best describes a zero-day vulnerability?

A) A vulnerability known only to attackers before patches exist
B) A vulnerability patched by software vendors
C) A vulnerability that cannot be exploited
D) A vulnerability in outdated software only

Answer:  A) A vulnerability known only to attackers before patches exist

Explanation:

A zero-day vulnerability is a software or system flaw that is unknown to the vendor or developer and is exploited by attackers before any patch or mitigation is available. The term “zero-day” refers to the fact that developers have had zero days to address the issue. Zero-day exploits are highly valuable in cybercrime and advanced persistent threats because they bypass existing security measures. They can be used in targeted attacks, malware delivery, or system compromise. Security+ candidates must understand zero-day vulnerabilities to implement defense-in-depth strategies such as intrusion detection, network monitoring, timely patching, and endpoint protection.

A vulnerability patched by software vendors, represented by the second choice, is not zero-day. Once a patch is released, the vulnerability is known and mitigated, reducing its exploit window. Security professionals should apply patches promptly to prevent exploitation of known vulnerabilities.

A vulnerability that cannot be exploited, the third choice, does not constitute a zero-day. Zero-day vulnerabilities are exploitable, which is why they pose a significant risk. If a flaw cannot be exploited, it is not actively dangerous to systems.

A vulnerability in outdated software only, the fourth choice, describes a known vulnerability that may exist in legacy or unpatched systems. While such vulnerabilities can be exploited, they are not zero-day because attackers can reference public advisories or databases. Zero-day exploits are distinct because they occur before public disclosure and patches.

The correct answer is a vulnerability known only to attackers before patches exist. Security+ candidates must understand that zero-day attacks emphasize the importance of layered security, proactive monitoring, and rapid response strategies to detect suspicious behavior, contain breaches, and maintain system integrity and availability even when unknown threats exist.

Question 34

Which of the following is the primary goal of a penetration test?

A) Identify and exploit vulnerabilities to assess security
B) Scan for viruses on endpoints
C) Encrypt sensitive files for protection
D) Monitor network traffic for anomalies

Answer:  A) Identify and exploit vulnerabilities to assess security

Explanation:

A penetration test, or pentest, is a controlled exercise in which security professionals simulate attacks on systems, networks, or applications to identify vulnerabilities and assess the effectiveness of security controls. The purpose is to proactively find weaknesses before attackers do and recommend remediation. Pentesting involves various techniques, including social engineering, network scanning, exploitation of vulnerabilities, and reporting findings. Security+ candidates must understand penetration testing because it demonstrates risk assessment, vulnerability management, and the practical application of security measures in real-world scenarios.

Scanning for viruses on endpoints, represented by the second choice, is a preventive measure to detect malware rather than assessing the organization’s security posture through simulated attacks. While endpoint protection is important, it does not provide insight into the effectiveness of security controls or potential exploit paths.

Encrypting sensitive files for protection, the third choice, is a method of maintaining confidentiality. While encryption mitigates risk, it does not simulate attacks or identify system weaknesses. Pentesting evaluates the organization’s exposure to threats rather than directly protecting data.

Monitoring network traffic for anomalies, the fourth choice, is a detective control that can alert administrators to suspicious activity. Network monitoring provides visibility but does not proactively exploit vulnerabilities to assess risk like a penetration test does.

The correct answer is to identify and exploit vulnerabilities to assess security. Penetration testing provides insight into system weaknesses, evaluates security policies, and guides risk mitigation strategies. Security+ candidates should understand different types of penetration tests, including black-box, white-box, and gray-box approaches, as well as reporting and remediation best practices. Effective pentesting supports continuous improvement of security posture and helps organizations comply with regulatory requirements and industry standards.

Question 35

Which of the following is a characteristic of ransomware-as-a-service (RaaS)?

A) Attackers provide ransomware tools to affiliates for a share of profits
B) Malware that only spreads through email attachments
C) Malware that removes itself after infection
D) Malware that targets only financial institutions

Answer:  A) Attackers provide ransomware tools to affiliates for a share of profits

Explanation:

Ransomware-as-a-service is a model in which attackers develop ransomware tools and provide them to affiliates who distribute them. Affiliates receive guidance, support, and the ransomware code, while the original developers retain a portion of the profits. This model lowers the barrier to entry for cybercriminals, enabling less technically skilled individuals to launch attacks. RaaS operations often include dashboards, technical support, and payment handling mechanisms. Security+ candidates must understand RaaS because it illustrates the commoditization of cybercrime, the scaling of ransomware attacks, and the need for preventive measures such as user education, network segmentation, endpoint protection, and incident response planning.

Malware that only spreads through email attachments, represented by the second choice, describes a delivery method rather than a business model. RaaS is not limited to one propagation vector; affiliates may distribute ransomware through phishing, drive-by downloads, or network exploits.

Malware that removes itself after infection, the third choice, is not characteristic of ransomware, which typically persists until the ransom is paid or a recovery solution is implemented. RaaS emphasizes persistence, monetization, and coordinated distribution rather than self-deletion.

Malware that targets only financial institutions, the fourth choice, is too narrow. RaaS is generalized and can target any organization or individual susceptible to attacks, not exclusively financial institutions. The model relies on scaling attacks across multiple targets to maximize profit.

The correct answer is that attackers provide ransomware tools to affiliates for a share of profits. Security+ candidates must understand the operational model, risks, and mitigation strategies related to RaaS, including proactive defenses, backups, user training, and incident response procedures to minimize impact from ransomware attacks.

Question 36

Which type of attack attempts to manipulate DNS settings to redirect users to malicious sites without their knowledge?

A) Pharming
B) Phishing
C) Man-in-the-middle
D) Cross-site scripting

Answer:  A) Pharming

Explanation:

Pharming is a cyberattack where users are redirected from legitimate websites to malicious websites without their knowledge, often by exploiting vulnerabilities in DNS servers or altering local DNS configurations on the victim’s system. The malicious site is designed to mimic a legitimate website, tricking users into entering sensitive information such as usernames, passwords, or financial data. Unlike phishing, which relies on deceiving users into clicking on fraudulent links, pharming can occur without any user action, making it particularly dangerous. By compromising DNS settings or poisoning DNS caches, attackers ensure that even legitimate URLs resolve to their malicious servers. This attack targets both confidentiality and trust, as users may unknowingly disclose sensitive information. Security+ candidates must understand pharming because it highlights the intersection of technical exploitation and social engineering. Preventive measures include monitoring and securing DNS servers, using DNSSEC to verify DNS responses, regularly checking system hosts files, enforcing HTTPS, and educating users about warning signs of fake websites.

Phishing, the second choice, is a social engineering attack where attackers send deceptive messages, typically via email, to convince users to reveal sensitive information. Phishing requires the victim to take some action, such as clicking a link or opening an attachment. While phishing and pharming can both result in credential theft, the mechanisms differ: phishing exploits human behavior, whereas pharming manipulates system infrastructure to redirect users. Phishing is easier to detect for vigilant users because the suspicious message can raise awareness, while pharming operates silently and can affect a large number of users simultaneously.

Man-in-the-middle, the third choice, intercepts communication between two parties, allowing attackers to monitor or modify data in transit. MITM attacks focus on capturing or altering communication rather than redirecting users to fraudulent websites. While both MITM and pharming compromise confidentiality, the attack vectors differ. MITM requires the attacker to be in a position to intercept traffic, often through network access, whereas pharming exploits DNS or system-level settings, affecting users regardless of network interception.

Cross-site scripting, the fourth choice, injects malicious scripts into a website to compromise users’ browsers. XSS attacks typically steal session cookies or perform unauthorized actions on behalf of users. While XSS can compromise confidentiality and integrity, it relies on web application vulnerabilities and user interaction within a legitimate website. In contrast, pharming manipulates the resolution of website addresses, redirecting users entirely to malicious websites without relying on scripting within a legitimate site.

The correct answer is pharming because it directly manipulates DNS infrastructure or local system settings to redirect users to malicious websites without their knowledge. Mitigating pharming requires a combination of technical controls, user awareness, and secure network configurations. Organizations should implement DNS security measures, enforce secure DNS resolution, use HTTPS, and educate users to verify website authenticity. Security+ candidates must recognize pharming as a sophisticated attack that combines technical exploitation with potential social engineering impacts, demonstrating the importance of layered security strategies that include both infrastructure protections and user vigilance. Understanding pharming also highlights the broader principle of verifying trust in network communications and systems, emphasizing the need for proactive monitoring, patching, and protective measures to maintain system integrity and confidentiality.

Question 37

Which type of attack uses automated tools to guess passwords until access is gained?

A) Brute-force
B) Phishing
C) Keylogger
D) SQL injection

Answer:  A) Brute-force

Explanation:

A brute-force attack is a method used by attackers to gain unauthorized access by systematically attempting every possible combination of passwords or encryption keys. Automated tools are commonly used to perform these attacks efficiently, particularly against accounts with weak or simple passwords. The effectiveness of brute-force attacks depends on password complexity, length, and system rate-limiting mechanisms. Brute-force attacks can target online authentication systems, local files, encrypted documents, or wireless networks. Security+ candidates must understand brute-force attacks to implement strong passwords, account lockout policies, multi-factor authentication, and monitoring mechanisms that detect unusual login attempts. The primary goal is to compromise authentication by exploiting weak credentials rather than exploiting technical vulnerabilities in software or systems.

Phishing, the second choice, involves tricking users into providing sensitive information by deception, usually via email or messaging. While phishing may result in password compromise, it does not systematically guess credentials. Phishing relies on human behavior rather than computational brute-force techniques. The contrast is important: brute-force is technical and systematic, while phishing is social engineering-based.

Keyloggers, the third choice, are malware designed to capture user keystrokes, including passwords. Keyloggers directly record user input and can bypass brute-force attempts. While both brute-force and keyloggers aim to acquire credentials, their methods differ: keyloggers require infection and surveillance, whereas brute-force attacks are algorithmic and exploit weak password entropy. Security+ candidates should recognize the distinction because mitigation strategies differ: keyloggers require endpoint security, while brute-force requires strong password policies and account protections.

SQL injection, the fourth choice, is a web application attack targeting unsanitized input fields to execute malicious SQL commands. SQL injection is aimed at data extraction or modification rather than guessing credentials through systematic attempts. While attackers can use SQL injection to retrieve authentication data, it is not considered a brute-force attack because it relies on exploiting application vulnerabilities rather than exhaustive guessing.

The correct answer is brute-force because it systematically attempts every possible credential combination until access is obtained. Mitigation includes using strong, complex passwords, multi-factor authentication, account lockout policies, and monitoring for failed login attempts. Security+ candidates must understand the mechanics of brute-force attacks, password entropy, and protective measures to prevent unauthorized access through automated guessing. Understanding brute-force attacks emphasizes the importance of robust authentication practices, layered defenses, and proactive security monitoring in organizational cybersecurity strategies.

Question 38

Which type of attack is most commonly used to steal credentials by pretending to be a legitimate website?

A) Phishing
B) SQL injection
C) Worm
D) DDoS

Answer:  A) Phishing

Explanation:

Phishing is a social engineering attack where attackers impersonate trusted entities to steal sensitive information, often through emails, messages, or fake websites. The attacker typically creates a message that appears to be from a legitimate organization, prompting the user to enter login credentials, financial information, or personal data. Phishing attacks can lead to account compromise, identity theft, financial loss, or unauthorized access to systems. Security+ candidates must understand phishing because it is one of the most prevalent threats, emphasizing the importance of user training, email filtering, and multi-factor authentication. Phishing exploits human trust and inattention rather than technical vulnerabilities in software or networks.

SQL injection, the second choice, exploits web application vulnerabilities to manipulate database queries. SQL injection can result in data theft or modification, but does not rely on impersonation or deception to capture credentials. While SQL injection can extract login data from a database, it is a technical attack rather than a social engineering attack like phishing.

Worms, the third choice, are self-replicating malware that spread across networks without user interaction. Worms focus on propagation and may deliver a payload, but do not actively deceive users into entering credentials. While worms can facilitate data theft if combined with other malware, they are fundamentally different from phishing in terms of method and objective.

DDoS, the fourth choice, is designed to overwhelm systems or networks to make them unavailable. DDoS does not involve stealing credentials or exploiting human behavior. Its focus is availability rather than confidentiality or social engineering.

The correct answer is phishing because it specifically relies on deception to trick users into revealing credentials. Security+ candidates should understand attack techniques such as email phishing, link spoofing, and malicious websites, as well as mitigation measures including email filtering, user awareness programs, and multi-factor authentication. Recognizing phishing patterns and educating users are critical in preventing credential theft and maintaining organizational security.

Question 39

Which security control aims to detect suspicious activity and respond in real time?

A) Intrusion Detection System (IDS)
B) Firewall
C) Antivirus software
D) Encryption

Answer:  A) Intrusion Detection System (IDS)

Explanation:

An Intrusion Detection System is a security control designed to monitor networks or systems for signs of malicious activity or policy violations. IDS solutions can be signature-based, looking for known patterns of attack, or anomaly-based, detecting deviations from normal behavior. IDS alerts administrators to potential threats, enabling rapid response and mitigation. Network-based IDS monitors traffic, while host-based IDS monitors system activity and logs. Security+ candidates must understand IDS because it plays a critical role in proactive security monitoring, threat detection, and incident response planning. IDS does not prevent attacks but provides visibility, situational awareness, and actionable alerts that enable security teams to act before damage occurs.

Firewalls, represented by the second choice, are preventive controls that filter incoming and outgoing network traffic based on rules. While firewalls block unauthorized access, they do not typically alert administrators to suspicious behavior in real time unless integrated with monitoring tools. IDS complements firewalls by providing detection capabilities rather than prevention alone.

Antivirus software, the third choice, scans for known malware and removes or quarantines infected files. Antivirus is primarily a preventive and reactive control focused on malware detection, not real-time monitoring of network or system anomalies. While antivirus contributes to security posture, it does not provide the same situational awareness or detailed alerts as an IDS.

Encryption, the fourth choice, protects data confidentiality by converting information into a format that is unreadable without the appropriate key. Encryption secures data in transit or at rest but does not detect or respond to suspicious activity. IDS focuses on identifying threats, while encryption focuses on safeguarding information.

The correct answer is Intrusion Detection System because it is specifically designed to detect and alert on suspicious activity, enabling a timely response. Security+ candidates should understand IDS types, deployment strategies, integration with other security tools, and the importance of real-time monitoring in maintaining network and system security. Proper implementation of IDS supports proactive defense, threat mitigation, and incident response, making it a vital component of comprehensive cybersecurity strategies.

Question 40

Which type of attack involves sending large volumes of traffic to a system to make it unavailable?

A) Denial of Service (DoS)
B) SQL injection
C) Phishing
D) Keylogger

Answer:  A) Denial of Service (DoS)

Explanation:

Denial of Service attacks aim to make systems, networks, or applications unavailable to legitimate users by overwhelming them with traffic or resource requests. DoS attacks consume server resources such as CPU, memory, or bandwidth, preventing normal operations. Attackers may use botnets or multiple compromised systems in a distributed DoS (DDoS) to amplify the attack and bypass basic mitigations. DoS attacks primarily impact availability, one of the core elements of the CIA triad. Security+ candidates must understand DoS attacks to implement mitigation strategies, such as rate limiting, redundancy, load balancing, traffic filtering, and incident response plans.

SQL injection, the second choice, is a web application vulnerability exploited to manipulate or extract database information. SQL injection targets confidentiality and integrity rather than availability. While excessive queries could incidentally cause resource strain, SQL injection is not inherently a DoS attack.

Phishing, the third choice, is a social engineering attack aimed at obtaining credentials or sensitive information. Phishing does not attempt to overwhelm system resources, so it does not directly affect availability.

Keyloggers, the fourth choice, capture user input, including passwords, to steal credentials. Keyloggers are malware focused on data compromise rather than making systems unavailable.

The correct answer is Denial of Service because it is explicitly designed to overwhelm resources and prevent legitimate users from accessing systems or services. Security+ candidates must understand DoS and DDoS attack methods, mitigation strategies, and monitoring techniques to maintain availability and system resilience. DoS attacks highlight the importance of redundancy, traffic management, and incident response in organizational cybersecurity planning. 

Question 41

Which type of attack allows an attacker to impersonate another device or user on a network to intercept or manipulate traffic?

A) Spoofing
B) Brute-force
C) Phishing
D) Adware

Answer:  A) Spoofing

Explanation:

Spoofing is a network attack in which an attacker impersonates another device, user, or system to gain unauthorized access, intercept communications, or manipulate data. Common forms include IP spoofing, ARP spoofing, email spoofing, and DNS spoofing. In IP spoofing, attackers forge the source IP address in packet headers to bypass network security controls or trick systems into sending data to the wrong destination. ARP spoofing allows attackers to associate their MAC address with the IP address of another host, redirecting network traffic through their device, enabling man-in-the-middle attacks or packet capture. Email spoofing involves falsifying the sender’s address to appear legitimate, often in phishing campaigns. DNS spoofing manipulates domain name resolutions to redirect users to malicious sites. Security+ candidates must understand spoofing because it illustrates the importance of authentication, encryption, network segmentation, and monitoring to prevent unauthorized access and data compromise.

Brute-force attacks, the second choice, attempt to gain access by systematically guessing passwords or keys. While brute-force targets authentication credentials, it does not involve impersonating other devices or manipulating network traffic. The goal is access via guessing rather than deception in network identity.

Phishing, the third choice, is a social engineering attack that tricks users into providing sensitive information, typically via email. Phishing exploits human trust rather than network protocols or device identity. While email spoofing is sometimes part of phishing campaigns, phishing itself focuses on user deception and credential theft, not the broader impersonation techniques seen in spoofing.

Adware, the fourth choice, displays unwanted advertisements and may collect user data. Adware does not impersonate devices or users and is primarily a privacy or annoyance issue rather than a network-level deception attack.

The correct answer is spoofing because it specifically involves impersonation to intercept or manipulate network traffic. Security+ candidates should recognize the various forms of spoofing, understand the vulnerabilities exploited, and apply mitigations such as strong authentication, encryption, digital signatures, secure routing protocols, and monitoring tools to detect anomalous activity. Spoofing demonstrates the need for both technical controls and network vigilance to maintain confidentiality, integrity, and trust in communications.

Question 42

Which type of malware can replicate itself across systems without user interaction?

A) Worm
B) Trojan
C) Ransomware
D) Keylogger

Answer:  A) Worm

Explanation:

A worm is a self-replicating type of malware that spreads across networks or systems without any action required by the user. Unlike Trojans, which require execution by the user, worms exploit system vulnerabilities, unpatched software, or network misconfigurations to propagate automatically. Worms can consume network bandwidth, slow system performance, and deliver additional payloads such as ransomware or remote access tools. Notable examples include the WannaCry and Code Red worms, which caused widespread disruption by exploiting vulnerabilities in operating systems. Security+ candidates must understand worms because they demonstrate the importance of patch management, network segmentation, firewalls, and intrusion detection to prevent uncontrolled propagation. Worms are particularly dangerous in enterprise networks where a single infected system can compromise an entire environment quickly.

Trojans, represented by the second choice, masquerade as legitimate software to trick users into executing them. Trojans rely on social engineering and require user interaction to infect systems. Unlike worms, Trojans do not self-replicate across networks autonomously. Their primary purpose is to deliver malicious payloads such as keyloggers, spyware, or ransomware.

Ransomware, the third choice, encrypts or locks user data to extort payment. While ransomware may spread through phishing emails or network shares, it does not inherently self-propagate without user or system actions. Worms, by contrast, autonomously replicate across vulnerable systems, making them faster-moving threats.

Keyloggers, the fourth choice, capture keystrokes for credential theft. They are typically installed manually or via Trojans and do not replicate themselves. Worms are distinguished by their ability to spread automatically without intervention, whereas keyloggers focus solely on data capture.

The correct answer is worm because it autonomously spreads across systems and networks, exploiting vulnerabilities without user action. Security+ candidates should recognize the rapid threat posed by worms, the importance of patching systems promptly, and preventive measures, including intrusion detection, endpoint protection, and segmentation,n to contain infections. Understanding worms highlights the necessity of proactive monitoring and layered security to reduce risk from rapidly propagating malware.

Question 43

Which security principle ensures that users can only access the information necessary for their role?

A) Principle of least privilege
B) Separation of duties
C) Defense in depth
D) Mandatory access control

Answer:  A) Principle of least privilege

Explanation:

The principle of least privilege is a security concept in which users are granted only the minimum level of access required to perform their job functions. This minimizes the risk of accidental or intentional misuse of sensitive data and resources. By restricting permissions, organizations reduce the potential impact of compromised accounts or insider threats. Security+ candidates must understand the principle of least privilege because it is a foundational aspect of access control, risk management, and regulatory compliance. Implementing least privilege involves careful role definition, regular review of access rights, auditing, and removing unnecessary privileges promptly. It also complements other security controls such as multi-factor authentication and monitoring.

Separation of duties, the second choice, divides responsibilities among multiple individuals to prevent a single person from having unchecked authority over critical processes. While related to least privilege, separation of duties focuses on organizational control to reduce fraud or errors, rather than restricting access strictly based on job necessity.

Defense in depth, the third choice, is a layered security strategy that combines multiple preventive, detective, and corrective controls to protect systems. Defense in depth complements least privilege but addresses overall protection rather than specific access limitations.

Mandatory access control, the fourth choice, is an access control model where access is governed by system-enforced policies, often using classifications such as confidential, secret, or top secret. While MAC enforces strict control, it is a mechanism rather than the underlying principle of granting only necessary access, which is the essence of least privilege.

The correct answer is the principle of least privilege because it directly restricts user access to only what is required for their role. Security+ candidates should understand its implementation in operating systems, applications, network devices, and cloud services. Enforcing least privilege reduces the attack surface, limits potential damage from compromised accounts, and ensures compliance with best practices and regulatory requirements. Proper application of least privilege involves monitoring, auditing, and regular access reviews to maintain security integrity and prevent unauthorized access.

Question 44

Which type of attack involves overwhelming multiple systems to create a coordinated disruption?

A) Distributed Denial of Service (DDoS)
B) Phishing
C) SQL injection
D) Cross-site scripting

Answer:  A) Distributed Denial of Service (DDoS)

Explanation:

A distributed denial of service attack is a type of DoS attack in which multiple systems, often part of a botnet, coordinate to flood a target with traffic, overwhelming resources and rendering services unavailable to legitimate users. DDoS attacks target availability, one of the core components of the CIA triad, and can affect websites, networks, or applications. Attackers use multiple compromised machines to maximize attack scale, making mitigation more challenging. Security+ candidates must understand DDoS because it emphasizes the importance of network resilience, traffic monitoring, redundancy, and incident response. Mitigation techniques include rate limiting, traffic filtering, cloud-based DDoS protection, and load balancing to maintain service availability during attacks. DDoS attacks often combine volumetric flooding, application-layer exploitation, and protocol-based attacks to achieve disruption.

Phishing, the second choice, targets human behavior to steal credentials or sensitive information. Phishing does not disrupt system availability directly. While a successful phishing campaign may facilitate other attacks, it is not a DDoS attack.

SQL injection is one of the most significant and longstanding vulnerabilities in web applications. It occurs when user‑supplied input is not properly validated or sanitized before being used in SQL queries. Through this weakness, an attacker can insert or manipulate SQL commands, causing the database to execute unintended operations. The fundamental purpose of SQL injection is to compromise data confidentiality and integrity. Attackers often use it to extract sensitive information such as usernames, passwords, personal records, or financial data. They may also alter or delete records, create unauthorized accounts, or escalate privileges within the database environment. Although SQL injection can have severe effects, it is not inherently designed to disrupt service availability. Any impact on availability is usually a secondary consequence rather than the main objective. For example, an attacker could craft a query that is extremely resource‑intensive, causing the database to slow down or even crash, but this is not the typical or intended use of SQL injection. The technique is best known for unauthorized data access rather than for causing widespread outages.

Cross‑site scripting, often referred to as XSS, is another attack that targets web applications, but it operates differently from SQL injection. XSS exploits weaknesses in how a website handles user input and output, allowing attackers to inject malicious scripts into pages viewed by others. Instead of directly targeting the server or database, XSS targets the users of a website, attempting to manipulate their interactions or steal their data. When a victim loads a compromised page, the malicious script runs in their browser with the same permissions as the legitimate site. This enables attackers to capture session cookies, impersonate users, redirect them to harmful sites, or perform unauthorized actions on their behalf.

The effects of XSS are primarily related to the confidentiality and integrity of user sessions and personal information. Attackers can steal account credentials, manipulate user data, or alter what is displayed on a website. Despite its ability to harm users and undermine trust in an application, XSS does not inherently cause availability issues. It does not overwhelm a server with traffic, cripple resources, or block legitimate users from accessing the site in the same manner as a distributed denial‑of‑service attack. Instead, it silently manipulates what users see and how their browsers behave. Any disruption caused by XSS typically affects individual users rather than the system’s overall availability.

In contrast, denial‑of‑service attacks intentionally aim to exhaust system resources, block access, and render services unavailable. This fundamental difference helps clarify why SQL injection and XSS do not fall under availability‑focused attack categories. Both attacks exploit logical weaknesses in web applications, but they do not directly involve overwhelming systems or shutting them down.

SQL injection compromises databases by manipulating queries, making it a threat to confidentiality and integrity rather than availability. Cross‑site scripting, meanwhile, injects harmful scripts into websites to target users, creating risks to user data and session integrity. Neither SQL injection nor XSS inherently disrupts system availability, which distinguishes them from attacks such as distributed denial‑of‑service operations.

The correct answer is distributed denial of service because it involves multiple systems coordinating to overwhelm a target. Security+ candidates should understand DDoS attack methods, detection mechanisms, mitigation strategies, and how botnets amplify impact. Awareness of DDoS attacks reinforces the need for layered defenses, network monitoring, and proactive incident response to maintain availability and service continuity. DDoS illustrates the critical importance of planning for large-scale coordinated attacks and implementing resilient infrastructure to withstand high-volume threats.

Question 45

Which type of attack exploits weaknesses in wireless encryption protocols to gain unauthorized access?

A) WPA/WPA2 cracking
B) Phishing
C) SQL injection
D) Keylogger

Answer:  A) WPA/WPA2 cracking

Explanation:

WPA/WPA2 cracking attacks target weaknesses in wireless encryption protocols used to secure Wi-Fi networks. Attackers capture handshake packets during authentication or exploit weak passphrases to gain unauthorized access to wireless networks. Techniques include dictionary attacks, brute-force attacks, and exploiting protocol-specific vulnerabilities such as KRACK (Key Reinstallation Attack). Once attackers gain access, they can intercept traffic, inject malicious packets, or pivot to internal systems. Security+ candidates must understand WPA/WPA2 cracking to implement strong encryption, complex passphrases, network segmentation, and monitoring for rogue access points. Mitigation strategies include using WPA3, disabling legacy protocols, and employing intrusion detection for wireless networks.

Phishing, the second choice, is unrelated to wireless encryption. Phishing targets human behavior to obtain credentials, whereas WPA/WPA2 cracking focuses on technical weaknesses in network encryption.

SQL injection is a well‑known attack technique that targets weaknesses in how web applications handle user input. It occurs when a web application fails to properly validate or sanitize data entered into fields such as login forms, search bars, or URL parameters. Attackers manipulate this input so that it becomes part of a backend SQL query, altering the logic of the query in harmful ways. Depending on the vulnerability, this can allow an attacker to read, modify, or delete database contents, escalate privileges, or even take control of the underlying server. Despite its serious impact on the confidentiality and integrity of stored data, SQL injection remains focused on web and database systems. It does not interact with or influence the security mechanisms used to protect wireless networks. Wireless network encryption protocols, such as WPA2 and WPA3, involve cryptographic processes at the network layer, completely separate from the web application environment where SQL injection takes place. Therefore, even though SQL injection can compromise sensitive information held in databases, it cannot directly affect wireless network encryption or grant unauthorized access to a wireless network.

Keyloggers, by contrast, are tools specifically designed to capture user input from devices. They come in both hardware and software forms. Software keyloggers may run secretly on a computer, recording keystrokes and periodically sending the captured information to an attacker. Hardware keyloggers, on the other hand, may be plugged between a keyboard and a computer or embedded within the keyboard itself. These tools gather typed information such as usernames, passwords, emails, credit card numbers, and other sensitive data. Keyloggers can be part of larger malware infections, installed through phishing campaigns, malicious downloads, or physical access to a device.

Although keyloggers can capture a wide range of credentials, including those used to log into wireless networks, their relationship to wireless security is indirect. They do not exploit flaws in wireless encryption protocols like WPA2 or WPA3. Instead, they rely on compromising an endpoint device to intercept whatever the user types. If a user manually enters a wireless password while a keylogger is active on their system, that password may be captured. However, this scenario is an endpoint compromise, not a cryptographic or protocol‑level attack against the wireless network itself. In other words, the keylogger steals information because it resides on the user’s computer, not because it breaks the wireless encryption mechanism.

It is important to distinguish between attacks that target network protocols and those that exploit weaknesses at different layers of a system. SQL injection is a web application and database attack, with no direct interaction with wireless communication layers. Keyloggers compromise user endpoints, focusing on input capture rather than network interception or decryption. Wireless network encryption is designed to protect data transmitted over the air, preventing unauthorized parties from eavesdropping or connecting without the correct credentials. Neither SQL injection nor keyloggers interferes with the cryptographic operations that keep wireless networks secure.

SQL injection can cause extensive harm to databases, but it does not impact wireless encryption protocols. Keyloggers can capture passwords typed by users, including those used for wireless access, but they do not target or weaken the encryption technologies that secure wireless communication.

The correct answer is WPA/WPA2 cracking because it specifically targets weaknesses in wireless encryption to gain unauthorized network access. Security+ candidates should understand wireless security protocols, attack methods, and countermeasures, including strong encryption, complex passphrases, network monitoring, and segmentation. Understanding these attacks emphasizes the importance of securing both the physical and wireless network layers to protect confidentiality, integrity, and availability of communications.