Threats, Vulnerabilities, and Mitigations for CompTIA Security+

Sample Practice Questions

1. Question 1

   Which of the following threat actors is the most likely to be hired by a foreign government to attack critical systems located in other countries?
   1. A. Hacktivist
   2. B. Whistleblower
   3. C. Organized crime
   4. D. Unskilled attacker
   Explanation

   The correct answer is: C. Organized crime.

   The threat actor that a foreign government would most likely hire to attack critical systems in another country (when nation-state is not an option) is organized crime. Governments routinely use organized criminal groups as proxies to maintain plausible deniability while still reaching the technical capabilities they need; well-documented real-world examples include North Korean and Russian state operations that overlap with criminal enterprises. Hacktivists are driven by ideology rather than payment. Whistleblowers act on conscience and do not hire out their access. Unskilled attackers lack the capability that critical-system attacks require. Organized crime is the actor type whose capability and contractability fit the brief.

2. Question 2

   An employee clicked a link in an email from a payment website that asked the employee to update contact information. The employee entered the log-in information but received a “page not found” error message. Which of the following types of social engineering attacks occurred?
   1. A. Brand impersonation
   2. B. Pretexting
   3. C. Typosquatting
   4. D. Phishing
   Explanation

   The correct answer is: D. Phishing.

   An email that lures the recipient to a fake login page for a payment site and then displays a `page not found` error after the credentials are submitted is a phishing attack. Credential harvesting through a fraudulent login page is the canonical phishing pattern, and the error after submission is the attacker's way of obscuring the fact that the credentials have already been captured. Brand impersonation is an attribute of many phishing campaigns but is not itself the SY0-701-named attack class. Pretexting is the social-engineering technique of constructing a believable cover story and is used inside phishing rather than naming it. Typosquatting registers lookalike domains and may be a delivery mechanism but is not the social-engineering label. Phishing is the precise label for the credential-harvest-then-broken-page pattern.

3. Question 3

   Which of the following scenarios describes a possible business email compromise attack?
   1. A. An employee receives a gift card request in an email that has an executive’s name in the display field of the email.
   2. B. Employees who open an email attachment receive messages demanding payment in order to access files.
   3. C. A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account.
   4. D. An employee receives an email with a link to a phishing site that is designed to look like the company’s email portal.
   Explanation

   The correct answer is: C. A service desk employee receives an email from the HR director asking for log-in credentials to a cloud administrator account..

   A service-desk employee receiving an email from someone identifying themselves as the HR director and asking for the credentials to a cloud administrator account is a business email compromise (BEC) attack. BEC combines impersonation of a trusted business identity (an executive, vendor, or other authority figure) with a request that bypasses normal procedure; in this case the impersonation is of the HR director, and the requested action is to hand over privileged credentials. The gift-card scenario in option A is also a BEC pattern but is a different example; the question asks which scenario describes BEC, and the credential-handover request is squarely BEC because it impersonates authority to extract sensitive information. The ransomware email is a malware-delivery vector, not BEC. The phishing-site link is generic credential harvesting through a fake login page rather than BEC's identity-impersonation pattern. The HR-director scenario is the named BEC case.

4. Question 4

   An employee receives a text message that appears to have been sent by the payroll department and is asking for credential verification. Which of the following social engineering techniques are being attempted? (Choose two.)
   1. A. Typosquatting
   2. B. Phishing
   3. C. Impersonation
   4. D. Vishing
   5. E. Smishing
   6. F. Misinformation
   Explanation

   The correct answers are: B. Phishing, E. Smishing.

   A fraudulent text message from the payroll department asking for credential verification meets two definitions at once: it is phishing (the broad attack category covering electronic message deception) and it is smishing (the specific subset delivered via SMS). Selecting both labels is consistent with how the SY0-701 objectives present smishing — as a phishing variant — and gives the analyst the most accurate description of the technique used. Typosquatting registers lookalike domains and is unrelated to SMS. Impersonation is a tactic that overlaps but is not itself a named attack delivery vector in the same way. Vishing is voice-based phishing and is the wrong channel. Misinformation describes false content shared without malicious motive and is again the wrong category. Phishing plus smishing together capture the attack precisely.

5. Question 5

   Several employees received a fraudulent text message from someone claiming to be the Chief Executive Officer (CEO). The message stated: “I’m in an airport right now with no access to email. I need you to buy gift cards for employee recognition awards. Please send the gift cards to following email address.” Which of the following are the BEST responses to this situation? (Choose two).
   1. A. Cancel current employee recognition gift cards.
   2. B. Add a smishing exercise to the annual company training.
   3. C. Issue a general email warning to the company.
   4. D. Have the CEO change phone numbers.
   5. E. Conduct a forensic investigation on the CEO’s phone.
   6. F. Implement mobile device management.
   Explanation

   The correct answers are: B. Add a smishing exercise to the annual company training., C. Issue a general email warning to the company..

   The best responses to a fraudulent text message impersonating the CEO are to add a smishing exercise to the company's annual training and to issue a general warning email to the workforce. The exercise builds durable recognition skill across the company so that the next variant lands less successfully, and the immediate warning email tells everyone now that this specific scam is in flight so they do not act on it. Cancelling current employee recognition gift cards is unrelated to the smishing pattern itself. Having the CEO change phone numbers does not affect attackers who spoof identity rather than reach a real CEO number. A forensic investigation on the CEO's phone would only matter if the CEO's own device were suspected of compromise. Implementing MDM addresses corporate-device posture in general but does not specifically defend against this attack. Awareness exercise plus warning email is the targeted pair.

Other CompTIA Security+ domains

• General Security Concepts (132 questions)
• Security Architecture (124 questions)
• Security Operations (141 questions)
• Security Program Management (96 questions)