CompTIA Security+ Practice Tests: Exam SY0-601

Introduction

CompTIA Security+ Practice Tests: Exam SY0-601, Second Edition is the perfect companion volume to the CompTIA Security+ Study Guide: Exam SY0-601, Eighth Edition (Wiley, 2020, Chapple/Seidl). If you're looking to test your knowledge before you take the Security+ exam, this book will help you by providing a combination of 1,100 questions that cover the Security+ domains and easy-to-understand explanations of both right and wrong answers.

If you're just starting to prepare for the Security+ exam, we highly recommend that you use the CompTIA Security+ Study Guide, Eighth Edition to help you learn about each of the domains covered by the Security+ exam. Once you're ready to test your knowledge, use this book to help find places where you may need to study more or to practice for the exam itself.

Since this is a companion to the Security+ Study Guide, this book is designed to be similar to taking the Security+ exam. The book itself is broken up into seven chapters: five domain-centric chapters with questions about each domain, and two chapters that contain 100-question practice tests to simulate taking the Security+ exam itself.

If you can answer 90 percent or more of the questions for a domain correctly, you can feel safe moving on to the next chapter. If you're unable to answer that many correctly, reread the chapter and try the questions again. Your score should improve.

Don't just study the questions and answers! The questions on the actual exam will be different from the practice questions included in this book. The exam is designed to test your knowledge of a concept or objective, so use this book to learn the objectives behind the questions.

The Security+ Exam

The Security+ exam is designed to be a vendor-neutral certification for cybersecurity professionals and those seeking to enter the field. CompTIA recommends this certification for those currently working, or aspiring to work, in roles, including:

Systems administrator

Security administrator

Security specialist

Security engineer

Network administrator

Junior IT auditor/penetration tester

Security consultant

The exam covers five major domains:

Threats, Attacks, and Vulnerabilities

Architecture and Design

Implementation

Operations and Incident Response

Governance, Risk, and Compliance

These five areas include a range of topics, from firewall design to incident response and forensics, while focusing heavily on scenario-based learning. That's why CompTIA recommends that those attempting the exam have at least two years of hands-on work experience, although many individuals pass the exam before moving into their first cybersecurity role.

The Security+ exam is conducted in a format that CompTIA calls performance-based assessment. This means that the exam combines standard multiple-choice questions with other, interactive question formats. Your exam may include multiple types of questions, such as multiple-choice, fill-in-the-blank, multiple-response, drag-and-drop, and image-based problems.

CompTIA recommends that test takers have two years of information security–related experience before taking this exam. The exam costs $349 in the United States, with roughly equivalent prices in other locations around the globe. More details about the Security+ exam and how to take it can be found here:

www.comptia.org/certifications/security

This book includes a discount code for the Security+ exam—make sure you use it!

You'll have 90 minutes to take the exam and will be asked to answer up to 90 questions during that time period. Your exam will be scored on a scale ranging from 100 to 900, with a passing score of 750.

You should also know that CompTIA is notorious for including vague questions on all of its exams. You might see a question for which two of the possible four answers are correct—but you can choose only one. Use your knowledge, logic, and intuition to choose the best answer and then move on. Sometimes, the questions are worded in ways that would make English majors cringe—a typo here, an incorrect verb there. Don't let this frustrate you; answer the question and move on to the next one.

CompTIA frequently does what is called item seeding, which is the practice of including unscored questions on exams. It does so to gather psychometric data, which is then used when developing new versions of the exam. Before you take the exam, you will be told that your exam may include these unscored questions. So, if you come across a question that does not appear to map to any of the exam objectives—or for that matter, does not appear to belong in the exam—it is likely a seeded question. You never know whether or not a question is seeded, however, so always make your best effort to answer every question.

Taking the Exam

Once you are fully prepared to take the exam, you can visit the CompTIA website to purchase your exam voucher:

www.comptiastore.com/Articles.asp?ID=265&category=vouchers

CompTIA partners with Pearson VUE's testing centers, so your next step will be to locate a testing center near you. In the United States, you can do this based on your address or your ZIP code, whereas non-U.S. test takers may find it easier to enter their city and country. You can search for a test center near you at the Pearson Vue website, where you will need to navigate to Find a test center.

www.pearsonvue.com/comptia

Now that you know where you'd like to take the exam, simply set up a Pearson VUE testing account and schedule an exam:

home.pearsonvue.com/comptia/onvue

On the day of the test, take two forms of identification, and make sure to show up with plenty of time before the exam starts. Remember that you will not be able to take your notes, electronic devices (including smartphones and watches), or other materials in with you, and that other requirements may exist for the test. Make sure you review those requirements before the day of your test so you're fully prepared for both the test itself as well as the testing process and facility rules.

After the Security+ Exam

Once you have taken the exam, you will be notified of your score immediately, so you'll know if you passed the test right away. You should keep track of your score report with your exam registration records and the email address you used to register for the exam.

Maintaining Your Certification

CompTIA certifications must be renewed on a periodic basis. To renew your certification, you can pass the most current version of the exam, earn a qualifying higher-level CompTIA or industry certification, or complete sufficient continuing education activities to earn enough continuing education units (CEUs) to renew it.

CompTIA provides information on renewals via their website at:

www.comptia.org/continuing-education

When you sign up to renew your certification, you will be asked to agree to the CE program's Code of Ethics, to pay a renewal fee, and to submit the materials required for your chosen renewal method.

A full list of the industry certifications you can use to acquire CEUs toward renewing the Security+ can be found at:

www.comptia.org/continuing-education/choose/renew-with-a-single-activity/earn-a-higher-level-comptia-certification

Using This Book to Practice

This book is composed of seven chapters with over 1,000 practice test questions. Each of the first five chapters covers a domain, with a variety of questions that can help you test your knowledge of real-world, scenario, and best practices–based security knowledge. The final two chapters are complete practice exams that can serve as timed practice tests to help determine whether you're ready for the Security+ exam.

We recommend taking the first practice exam to help identify where you may need to spend more study time and then using the domain-specific chapters to test your domain knowledge where it is weak. Once you're ready, take the second practice exam to make sure you've covered all the material and are ready to attempt the Security+ exam.

As you work through questions in this book, you will encounter tools and technology that you may not be familiar with. If you find that you are facing a consistent gap or that a domain is particularly challenging, we recommend spending some time with books and materials that tackle that domain in depth. This approach can help you fill in gaps and help you be more prepared for the exam.

To access our interactive test bank and online learning environment, simply visit www.wiley.com/go/sybextestprep, register to receive your unique PIN, and instantly gain one year of FREE access after activation to the interactive test bank with 2 practice exams and hundreds of domain-by-domain questions. Over 1,000 questions total!

Exam SY0-601 Exam Objectives

CompTIA goes to great lengths to ensure that its certification programs accurately reflect the IT industry's best practices. They do this by establishing committees for each of its exam programs. Each committee consists of a small group of IT professionals, training providers, and publishers who are responsible for establishing the exam's baseline competency level and who determine the appropriate target-audience level.

Once these factors are determined, CompTIA shares this information with a group of hand-selected subject matter experts (SMEs). These folks are the true brainpower behind the certification program. The SMEs review the committee's findings, refine them, and shape them into the objectives that follow this section. CompTIA calls this process a job-task analysis (JTA).

Finally, CompTIA conducts a survey to ensure that the objectives and weightings truly reflect job requirements. Only then can the SMEs go to work writing the hundreds of questions needed for the exam. Even so, they have to go back to the drawing board for further refinements in many cases before the exam is ready to go live in its final state. Rest assured that the content you're about to learn will serve you long after you take the exam.

CompTIA also publishes relative weightings for each of the exam's objectives. The following table lists the five Security+ objective domains and the extent to which they are represented on the exam.

SY0-601 Certification Exam Objective Map

Exam objectives are subject to change at any time without prior notice and at CompTIA's discretion. Please visit CompTIA's website (www.comptia.org) for the most current listing of exam objectives.

Chapter 1

Threats, Attacks, and Vulnerabilities

THE COMPTIA SECURITY+ EXAM SY0-601 TOPICS COVERED IN THIS CHAPTER INCLUDE THE FOLLOWING:

1.1 Compare and contrast different types of social engineering techniques

1.2 Given a scenario, analyze potential indicators to determine the type of attack

1.3 Given a scenario, analyze potential indicators associated with application attacks

1.4 Given a scenario, analyze potential indicators associated with network attacks

1.5 Explain different threat actors, vectors, and intelligence sources

1.6 Explain the security concerns associated with various types of vulnerabilities

1.7 Summarize the techniques used in security assessments

1.8 Explain the techniques used in penetration testing

Ahmed is a sales manager with a major insurance company. He has received an email that is encouraging him to click on a link and fill out a survey. He is suspicious of the email, but it does mention a major insurance association, and that makes him think it might be legitimate. Which of the following best describes this attack?

Phishing

Social engineering

Spear phishing

Trojan horse

You are a security administrator for a medium-sized bank. You have discovered a piece of software on your bank's database server that is not supposed to be there. It appears that the software will begin deleting database files if a specific employee is terminated. What best describes this?

Worm

Logic bomb

Trojan horse

Rootkit

You are responsible for incident response at Acme Bank. The Acme Bank website has been attacked. The attacker used the login screen, but rather than enter login credentials, they entered some odd text: ' or '1' = '1 . What is the best description for this attack?

Cross-site scripting

Cross-site request forgery

SQL injection

ARP poisoning

Users are complaining that they cannot connect to the wireless network. You discover that the WAPs are being subjected to a wireless attack designed to block their Wi-Fi signals. Which of the following is the best label for this attack?

IV attack

Jamming

WPS attack

Botnet

Frank is deeply concerned about attacks to his company's e-commerce server. He is particularly worried about cross-site scripting and SQL injection. Which of the following would best defend against these two specific attacks?

Encrypted web traffic

Input validation

A firewall

An IDS

You are responsible for network security at Acme Company. Users have been reporting that personal data is being stolen when using the wireless network. They all insist they only connect to the corporate wireless access point (AP). However, logs for the AP show that these users have not connected to it. Which of the following could best explain this situation?

Session hijacking

Clickjacking

Rogue access point

Bluejacking

What type of attack depends on the attacker entering JavaScript into a text area that is intended for users to enter text that will be viewed by other users?

SQL injection

Clickjacking

Cross-site scripting

Bluejacking

Rick wants to make offline brute-force attacks against his password file very difficult for attackers. Which of the following is not a common technique to make passwords harder to crack?

Use of a salt

Use of a pepper

Use of a purpose-built password hashing algorithm

Encrypting password plain text using symmetric encryption

What term is used to describe spam over Internet messaging services?

SPIM

SMSPAM

IMSPAM

TwoFaceTiming

Susan is analyzing the source code for an application and discovers a pointer de-reference and returns NULL. This causes the program to attempt to read from the NULL pointer and results in a segmentation fault. What impact could this have for the application?

A data breach

A denial-of-service condition

Permissions creep

Privilege escalation

Teresa is the security manager for a mid-sized insurance company. She receives a call from law enforcement, telling her that some computers on her network participated in a massive denial-of-service (DoS) attack. Teresa is certain that none of the employees at her company would be involved in a cybercrime. What would best explain this scenario?

It is a result of social engineering.

The machines all have backdoors.

The machines are bots.

The machines are infected with crypto-viruses.

Unusual outbound network traffic, geographical irregularities, and increases in database read volumes are all examples of what key element of threat intelligence?

Predictive analysis

OSINT

Indicators of compromise

Threat maps

Chris needs visibility into connection attempts through a firewall because he believes that a TCP handshake is not properly occurring. What security information and event management (SIEM) capability is best suited to troubleshooting this issue?

Reviewing reports

Packet capture

Sentiment analysis

Log collection and analysis

Chris wants to detect a potential insider threat using his security information and event management (SIEM) system. What capability best matches his needs?

Sentiment analysis

Log aggregation

Security monitoring

User behavior analysis

Chris has hundreds of systems spread across multiple locations and wants to better handle the amount of data that they create. What two technologies can help with this?

Log aggregation and log collectors

Packet capture and log aggregation

Security monitoring and log collectors

Sentiment analysis and user behavior analysis

What type of security team establishes the rules of engagement for a cybersecurity exercise?

Blue team

White team

Purple team

Red team

Cynthia is concerned about attacks against an application programming interface (API) that her company provides for its customers. What should she recommend to ensure that the API is only used by customers who have paid for the service?

Require authentication.

Install and configure a firewall.

Filter by IP address.

Install and use an IPS.

What type of attack is based on sending more data to a target variable than the data can actually hold?

Bluesnarfing

Buffer overflow

Bluejacking

Cross-site scripting

An email arrives telling Gurvinder that there is a limited time to act to get a software package for free and that the first 50 downloads will not have to be paid for. What social engineering principle is being used against him?

Scarcity

Intimidation

Authority

Consensus

You have been asked to test your company network for security issues. The specific test you are conducting involves primarily using automated and semiautomated tools to look for known vulnerabilities with the various systems on your network. Which of the following best describes this type of test?

Vulnerability scan

Penetration test

Security audit

Security test

Susan wants to reduce the likelihood of successful credential harvesting attacks via her organization's commercial websites. Which of the following is not a common prevention method aimed at stopping credential harvesting?

Use of multifactor authentication

User awareness training

Use of complex usernames

Limiting or preventing use of third-party web scripts and plugins

Greg wants to gain admission to a network which is protected by a network access control (NAC) system that recognized the hardware address of systems. How can he bypass this protection?

Spoof a legitimate IP address.

Conduct a denial-of-service attack against the NAC system.

Use MAC cloning to clone a legitimate MAC address.

None of the above

Coleen is the web security administrator for an online auction website. A small number of users are complaining that when they visit the website it does not appear to be the correct site. Coleen checks and she can visit the site without any problem, even from computers outside the network. She also checks the web server log and there is no record of those users ever connecting. Which of the following might best explain this?

Typo squatting

SQL injection

Cross-site scripting

Cross-site request forgery

The organization that Mike works in finds that one of their domains is directing traffic to a competitor's website. When Mike checks, the domain information has been changed, including the contact and other administrative details for the domain. If the domain had not expired, what has most likely occurred?

DNS hijacking

An on-path attack

Domain hijacking

A zero-day attack

Mahmoud is responsible for managing security at a large university. He has just performed a threat analysis for the network, and based on past incidents and studies of similar networks, he has determined that the most prevalent threat to his network is low-skilled attackers who wish to breach the system, simply to prove they can or for some low-level crime, such as changing a grade. Which term best describes this type of attacker?

Hacktivist

Amateur

Insider

Script kiddie

How is phishing different from general spam?

It is sent only to specific targeted individuals.

It is intended to acquire credentials or other data.

It is sent via SMS.

It includes malware in the message.

Which of the following best describes a collection of computers that have been compromised and are being controlled from one central point?

Zombienet

Botnet

Nullnet

Attacknet

Selah includes a question in her procurement request-for-proposal process that asks how long the vendor has been in business and how many existing clients the vendor has. What common issue is this practice intended to help prevent?

Supply chain security issues

Lack of vendor support

Outsourced code development issues

System integration problems

John is conducting a penetration test of a client's network. He is currently gathering information from sources such as archive.org, netcraft.com, social media, and information websites. What best describes this stage?

Active reconnaissance

Passive reconnaissance

Initial exploitation

Pivot

Alice wants to prevent SSRF attacks. Which of the following will not be helpful for preventing them?

Removing all SQL code from submitted HTTP queries

Blocking hostnames like 127.0.01 and localhost

Blocking sensitive URLs like /admin

Applying whitelist-based input filters

What type of attack is based on entering fake entries into a target network's domain name server?

DNS poisoning

ARP poisoning

XSS poisoning

CSRF poisoning

Frank has been asked to conduct a penetration test of a small bookkeeping firm. For the test, he has only been given the company name, the domain name for their website, and the IP address of their gateway router. What best describes this type of test?

A known environment test

External test

An unknown environment test

Threat test

You work for a security company that performs penetration testing for clients. You are conducting a test of an e-commerce company. You discover that after compromising the web server, you can use the web server to launch a second attack into the company's internal network. What best describes this?

Internal attack

Known environment testing

Unknown environment testing

A pivot

While investigating a malware outbreak on your company network, you discover something very odd. There is a file that has the same name as a Windows system DLL, and it even has the same API interface, but it handles input very differently, in a manner to help compromise the system, and it appears that applications have been attaching to this file, rather than the real system DLL. What best describes this?

Shimming

Trojan horse

Backdoor

Refactoring

Which of the following capabilities is not a key part of a SOAR (security orchestration, automation, and response) tool?

Threat and vulnerability management

Security incident response

Automated malware analysis

Security operations automation

John discovers that email from his company's email servers is being blocked because of spam that was sent from a compromised account. What type of lookup can he use to determine what vendors like McAfee and Barracuda have classified his domain as?

An nslookup

A tcpdump

A domain reputation lookup

A SMTP whois

Frank is a network administrator for a small college. He discovers that several machines on his network are infected with malware. That malware is sending a flood of packets to a target external to the network. What best describes this attack?

SYN flood

DDoS

Botnet

Backdoor

Why is SSL stripping a particular danger with open Wi-Fi networks?

WPA2 is not secure enough to prevent this.

Open hotspots do not assert their identity in a secure way.

Open hotspots can be accessed by any user.

802.11ac is insecure and traffic can be redirected.

A sales manager at your company is complaining about slow performance on his computer. When you thoroughly investigate the issue, you find spyware on his computer. He insists that the only thing he has downloaded recently was a freeware stock trading application. What would best explain this situation?

Logic bomb

Trojan horse

Rootkit

Macro virus

When phishing attacks are so focused that they target a specific high-ranking or important individual, they are called what?

Spear phishing

Targeted phishing

Phishing

Whaling

What type of threat actors are most likely to have a profit motive for their malicious activities?

State actors

Script kiddies

Hacktivists

Criminal syndicates

One of your users cannot recall the password for their laptop. You want to recover that password for them. You intend to use a tool/technique that is popular with hackers, and it consists of searching tables of precomputed hashes to recover the password. What best describes this?

Rainbow table

Backdoor

Social engineering

Dictionary attack

What risk is commonly associated with a lack of vendor support for a product, such as an outdated version of a device?

Improper data storage

Lack of patches or updates

Lack of available documentation

System integration and configuration issues

You have noticed that when in a crowded area, you sometimes get a stream of unwanted text messages. The messages end when you leave the area. What describes this attack?

Bluejacking

Bluesnarfing

Evil twin

Rogue access point

Dennis uses an on-path attack to cause a system to send HTTPS traffic to his system and then forwards it to the actual server the traffic is intended for. What type of password attack can he conduct with the data he gathers if he captures all the traffic from a login form?

A plain-text password attack

A pass-the-hash attack

A SQL injection attack

A cross-site scripting attack

Someone has been rummaging through your company's trash bins seeking to find documents, diagrams, or other sensitive information that has been thrown out. What is this called?

Dumpster diving

Trash diving

Social engineering

Trash engineering

Louis is investigating a malware incident on one of the computers on his network. He has discovered unknown software that seems to be opening a port, allowing someone to remotely connect to the computer. This software seems to have been installed at the same time as a small shareware application. Which of the following best describes this malware?

RAT

Worm

Logic bomb

Rootkit

Jared is responsible for network security at his company. He has discovered behavior on one computer that certainly appears to be a virus. He has even identified a file he thinks might be the virus. However, using three separate antivirus programs, he finds that none can detect the file. Which of the following is most likely to be occurring?

The computer has a RAT.

The computer has a zero-day exploit.

The computer has a worm.

The computer has a rootkit.

Which of the following is not a common means of attacking RFID badges?

Data capture

Spoofing

Denial-of-service

Birthday attacks

Your wireless network has been breached. It appears the attacker modified a portion of data used with the stream cipher and used this to expose wirelessly encrypted data. What is this attack called?

Evil twin

Rogue WAP

IV attack

WPS attack

The company that Scott works for has experienced a data breach, and the personal information of thousands of customers has been exposed. Which of the following impact categories is not a concern as described in this scenario?

Financial

Reputation

Availability loss

Data loss

What type of attack exploits the trust that a website has for an authenticated user to attack that website by spoofing requests from the trusted user?

Cross-site scripting

Cross-site request forgery

Bluejacking

Evil twin

What purpose does a fusion center serve in cyberintelligence activities?

It promotes information sharing between agencies or organizations.

It combines security technologies to create new, more powerful tools.

It generates power for the local community in a secure way.

It separates information by classification ratings to avoid accidental distribution.

CVE is an example of what type of feed?

A threat intelligence feed

A vulnerability feed

A critical infrastructure listing feed

A critical virtualization exploits feed

What type of attack is a birthday attack?

A social engineering attack

A cryptographic attack

A network denial-of-service attack

A TCP/IP protocol attack

Juanita is a network administrator for Acme Company. Some users complain that they keep getting dropped from the network. When Juanita checks the logs for the wireless access point (WAP), she finds that a deauthentication packet has been sent to the WAP from the users' IP addresses. What seems to be happening here?

Problem with users' Wi-Fi configuration

Disassociation attack

Session hijacking

Backdoor attack

John has discovered that an attacker is trying to get network passwords by using software that attempts a number of passwords from a list of common passwords. What type of attack is this?

Dictionary

Rainbow table

Brute force

Session hijacking

You are a network security administrator for a bank. You discover that an attacker has exploited a flaw in OpenSSL and forced some connections to move to a weak cipher suite version of TLS, which the attacker could breach. What type of attack was this?

Disassociation attack

Downgrade attack

Session hijacking

Brute force

When an attacker tries to find an input value that will produce the same hash as a password, what type of attack is this?

Rainbow table

Brute force

Session hijacking

Collision attack

Farès is the network security administrator for a company that creates advanced routers and switches. He has discovered that his company's networks have been subjected to a series of advanced attacks over a period of time. What best describes this attack?

DDoS

Brute force

APT

Disassociation attack

What type of information is phishing not commonly intended to acquire?

Passwords

Email addresses

Credit card numbers

Personal information

John is running an IDS on his network. Users sometimes report that the IDS flags legitimate traffic as an attack. What describes this?

False positive

False negative

False trigger

False flag

Scott discovers that malware has been installed on one of the systems he is responsible for. Shortly afterward passwords used by the user that the system is assigned to are discovered to be in use by attackers. What type of malicious program should Scott look for on the compromised system?

A rootkit

A keylogger

A worm

None of the above

You are performing a penetration test of your company's network. As part of the test, you will be given a login with minimal access and will attempt to gain administrative access with this account. What is this called?

Privilege escalation

Session hijacking

Root grabbing

Climbing

Matt discovers that a system on his network is sending hundreds of Ethernet frames to the switch it is connected to, with each frame containing a different source MAC address. What type of attack has he discovered?

Etherspam

MAC flooding

Hardware spoofing

MAC hashing

Spyware is an example of what type of malware?

Trojan

PUP

RAT

Ransomware

Mary has discovered that a web application used by her company does not always handle multithreading properly, particularly when multiple threads access the same variable. This could allow an attacker who discovered this vulnerability to exploit it and crash the server. What type of error has Mary discovered?

Buffer overflow

Logic bomb

Race conditions

Improper error handling

An attacker is trying to get access to your network. He is sending users on your network a link to a new game with a hacked license code program. However, the game files also include software that will give the attacker access to any machine that it is installed on. What type of attack is this?

Rootkit

Trojan horse

Spyware

Boot sector virus

The following image shows a report from an OpenVAS system. What type of weak configuration is shown here?

Weak encryption

Unsecured administrative accounts

Open ports and services

Unsecure protocols

While conducting a penetration test, Annie scans for systems on the network she has gained access to. She discovers another system within the same network that has the same accounts and user types as the one she is on. Since she already has a valid user account on the system she has already accessed, she is able to log in to it. What type of technique is this?

Lateral movement

Privilege escalation

Privilege retention

Vertical movement

Amanda scans a Red Hat Linux server that she believes is fully patched and discovers that the Apache version on the server is reported as vulnerable to an exploit from a few months ago. When she checks to see if she is missing patches, Apache is fully patched. What has occurred?

A false positive

An automatic update failure

A false negative

An Apache version mismatch

When a program has variables, especially arrays, and does not check the boundary values before inputting data, what attack is the program vulnerable to?

XSS

CSRF

Buffer overflow

Logic bomb

Tracy is concerned that the software she wants to download may not be trustworthy, so she searches for it and finds many postings claiming that the software is legitimate. If she installs the software and later discovers it is malicious and that malicious actors have