General Security Concepts for CompTIA Security+

Sample Practice Questions

1. Question 1

   Which of the following is used to add extra complexity before using a one-way data transformation algorithm?
   1. A. Key stretching
   2. B. Data masking
   3. C. Steganography
   4. D. Salting
   Explanation

   The correct answer is: D. Salting.

   Adding complexity before a one-way hash is salting. A salt is a random value combined with the password (or other input) before hashing; it ensures that two users with the same password produce different hashes, and it makes precomputed-table attacks (rainbow tables) ineffective. Key stretching slows the hashing process to make brute-force more expensive but is a complementary technique rather than the addition of complexity to a one-way transformation. Data masking obscures portions of values for display. Steganography hides content inside other content. Salting is the SY0-701-named pre-hash complexity addition.

2. Question 2

   An enterprise is trying to limit outbound DNS traffic originating from its internal network. Outbound DNS requests will only be allowed from one device with the IP address 10.50.10.25. Which of the following firewall ACLs will accomplish this goal?
   1. A. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53 Access list outbound deny 10.50.10.25/32 0.0.0.0/0 port 53
   2. B. Access list outbound permit 0.0.0.0/0 10.50.10.25/32 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
   3. C. Access list outbound permit 0.0.0.0/0 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 10.50.10.25/32 port 53
   4. D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53
   Explanation

   The correct answer is: D. Access list outbound permit 10.50.10.25/32 0.0.0.0/0 port 53 Access list outbound deny 0.0.0.0/0 0.0.0.0/0 port 53.

   The right firewall ACL to permit only host 10.50.10.25 to make outbound DNS queries on UDP/53 and deny everything else is option D: permit from 10.50.10.25/32 to 0.0.0.0/0 port 53, then deny 0.0.0.0/0 to 0.0.0.0/0 port 53. The first rule allows only that specific host; the second blocks every other source. The other listed options either invert the source and destination, or permit broadly before denying narrowly, or deny only the authorized host. Default-deny with explicit narrow permits is the SY0-701-named outbound-restriction pattern.

3. Question 3

   An analyst is evaluating the implementation of Zero Trust principles within the data plane. Which of the following would be most relevant for the analyst to evaluate?
   1. A. Secured zones
   2. B. Subject role
   3. C. Adaptive identity
   4. D. Threat scope reduction
   Explanation

   The correct answer is: D. Threat scope reduction.

   When evaluating Zero Trust within the data plane, the most relevant concept is threat scope reduction. The Zero Trust model identifies threat scope reduction (NIST SP 800-207) as one of the key outcomes the architecture aims for: limiting the blast radius of a compromise by tightly scoping each access decision to the minimum required for the request. Secured zones describe network segments and are an artifact of the control plane. Subject role is an input to authorization decisions rather than the data-plane outcome. Adaptive identity is again a control-plane concept that informs decisions. Threat scope reduction is the data-plane goal the analyst is evaluating.

4. Question 4

   During a security incident, the security operations team identified sustained network traffic from a malicious IP address: 10.1.4.9. A security analyst is creating an inbound firewall rule to block the IP address from accessing the organization’s network. Which of the following fulfills this request?
   1. A. access-list inbound deny ip source 0.0.0.0/0 destination 10.1.4.9/32
   2. B. access-list inbound deny ip source 10.1.4.9/32 destination 0.0.0.0/0
   3. C. access-list inbound permit ip source 10.1.4.9/32 destination 0.0.0.0/0
   4. D. access-list inbound permit ip source 0.0.0.0/0 destination 10.1.4.9/32
   Explanation

   The correct answer is: B. access-list inbound deny ip source 10.1.4.9/32 destination 0.0.0.0/0.

   The right firewall rule to block a specific source address from reaching the network is `access-list inbound deny ip source 10.1.4.9/32 destination 0.0.0.0/0` (option B). The source is the attacker's address and the destination is any internal network. Reversing source and destination would block traffic from the network to the attacker, which is the wrong direction. Permitting from the attacker is the opposite of what is needed. Permitting from any to the attacker's address would explicitly send traffic to the attacker. The correctly oriented deny is the SY0-701-named inbound-block pattern.

5. Question 5

   Which of the following security control types does an acceptable use policy best represent?
   1. A. Detective
   2. B. Compensating
   3. C. Corrective
   4. D. Preventive
   Explanation

   The correct answer is: D. Preventive.

   An acceptable use policy is most accurately a preventive control. The AUP sets the rules in advance so users know what is permitted and what is forbidden; the goal is to prevent unwanted behavior before it occurs by establishing expectations and consequences. A detective control identifies an event after it has happened (log review, IDS alert) and an AUP is not detective. A compensating control substitutes for a primary control that cannot be implemented and is not the AUP's normal classification. A corrective control fires after a detection event to fix the issue and is again not the AUP's role. Preventive is the SY0-701-named classification for the AUP.

Other CompTIA Security+ domains

• Security Architecture (124 questions)
• Security Operations (141 questions)
• Security Program Management (96 questions)
• Threats, Vulnerabilities, and Mitigations (118 questions)