Security Engineering for CompTIA SecurityX

Sample Practice Questions

1. Question 1

   A security administrator is performing a gap assessment against a specific OS benchmark. The benchmark requires the following configurations be applied to endpoints: Full disk encryption Host-based firewall Time synchronization Password policies Application allow listing Zero Trust application access Which of the following solutions best addresses the requirements? (Choose two.)
   1. A. MDM
   2. B. CASB
   3. C. SBoM
   4. D. SCAP
   5. E. SASE
   6. F. HIDS
   Explanation

   The correct answers are: A. MDM, D. SCAP.

   The benchmark mixes endpoint posture enforcement with standardized configuration assessment, so two complementary controls are needed. Mobile Device Management pushes and enforces full disk encryption, host-based firewall rules, time synchronization, password policy, and application allow listing across the fleet, and modern MDM integrates with Zero Trust application access through device compliance signals. SCAP (Security Content Automation Protocol) provides the standardized, machine-readable benchmarks and scanners to verify and report compliance against the configuration baseline, closing the audit loop. CASB focuses on cloud application traffic and SaaS data, not endpoint OS hardening. SBoM inventories software components for vulnerability tracking, which is unrelated to applying these configurations. SASE delivers network security as a service but does not enforce local OS settings, and HIDS detects intrusions on a host rather than provisioning the required baseline configuration.

2. Question 2

   A company runs a DAST scan on a web application. The tool outputs the following recommendations: Use Cookie prefixes. Content Security Policy - SameSite=strict is not set. Which of the following vulnerabilities has the tool identified?
   1. A. RCE
   2. B. XSS
   3. C. CSRF
   4. D. TOCTOU
   Explanation

   The correct answer is: C. CSRF.

   The two findings, missing SameSite=strict and absent cookie prefixes such as __Host- or __Secure-, both harden cookies specifically against forged cross-site requests where an attacker's site causes the victim's browser to attach session cookies to an unwanted state-changing request, which is the textbook definition of Cross-Site Request Forgery. SameSite=strict instructs the browser not to send the cookie on cross-site navigations, and cookie prefixes bind cookies to secure, scoped contexts so they cannot be overwritten by less secure subdomains. Remote Code Execution stems from injection or deserialization flaws and is unaffected by cookie attributes. Cross-Site Scripting is mitigated primarily by output encoding and Content Security Policy script-src directives, not by SameSite. Time-Of-Check to Time-Of-Use is a concurrency race condition in resource handling and has no relation to cookie behavior in the browser.

3. Question 3

   A company hired an email service provider called my-email.com to deliver company emails. The company started having several issues during the migration. A security engineer is troubleshooting and observes the following configuration snippet: Which of the following should the security engineer modify to fix the issue? (Choose two.)
   1. A. The email CNAME record must be changed to a type A record pointing to 192.168.1.11
   2. B. The TXT record must be changed to "v=dmarc ip4:192.168.1.10 include:my-email.com ~all"
   3. C. The srv01 A record must be changed to a type CNAME record pointing to the email server
   4. D. The email CNAME record must be changed to a type A record pointing to 192.168.1.10
   5. E. The TXT record must be changed to "v=dkim ip4:192.168.1.11 include :my-email.com ~all"
   6. F. The TXT record must be changed to "v=spf ip4:192.168.1.10 include :my-email.com ~all"
   7. G. The srv01 A record must be changed to a type CNAME record pointing to the web01 server
   Explanation

   The correct answers are: D. The email CNAME record must be changed to a type A record pointing to 192.168.1.10, F. The TXT record must be changed to "v=spf ip4:192.168.1.10 include :my-email.com ~all".

   Email delivery for a domain that hands off mail to a third-party provider depends on two correct DNS records: a hostname that resolves to the provider's mail infrastructure and an SPF record that authorizes the provider to send on the domain's behalf. Changing the email CNAME entry to a type A record pointing to 192.168.1.10 anchors the published mail hostname to the provider's actual IP rather than relying on a chained alias that can break MX or reverse-lookup expectations. Pairing that with a TXT record set to v=spf1 ip4:192.168.1.10 include:my-email.com ~all authoritatively declares which sources may send for the domain, making receivers accept legitimate mail and reject spoofs. Pointing the email A record at 192.168.1.11 mismatches the sending host. DMARC syntax does not use ip4 or include mechanisms, so that option is malformed. Rewriting srv01 to a CNAME of the email server or web01 breaks unrelated services. A DKIM TXT record using SPF-style ip4 and include tokens is not valid DKIM syntax, which uses v=DKIM1 with public key material, so it would not authenticate anything.

4. Question 4

   An organization recently implemented a policy that requires all passwords to be rotated every 90 days. An administrator sees a large volume of failed sign-on logs from multiple servers that are often accessed by users. The administrator determines users are disconnecting from the RDP session but not logging off. Which of the following should the administrator do to prevent account lockouts?
   1. A. Increase the account lockout threshold.
   2. B. Enforce password complexity.
   3. C. Force daily reboots.
   4. D. Extend the allowed session length.
   Explanation

   The correct answer is: C. Force daily reboots..

   Users disconnecting from RDP without logging off leave their sessions active, and when the 90-day rotation requires a new password, automated services, scripts, or the cached session continue to present the old credentials, triggering account lockouts from repeated authentication failures across servers. Forcing daily reboots terminates these orphaned sessions and stale credential caches at predictable intervals, eliminating the root cause of the failed sign-on storms. Increasing the lockout threshold masks the symptom while still allowing more failed attempts and brute-force exposure. Enforcing password complexity addresses guessability, not the disconnected-session behavior. Extending allowed session length makes the problem worse by keeping stale sessions alive even longer, so reboots are the targeted fix that aligns with the diagnosed cause.

5. Question 5

   A security analyst is reviewing the following code in the public repository for potential risk concerns: Which of the following should the security analyst recommend first to remediate the vulnerability?
   1. A. Developing role-based security awareness training
   2. B. Revoking the secret used in the solution
   3. C. Purging code from public view
   4. D. Scanning the application with SAST
   Explanation

   The correct answer is: B. Revoking the secret used in the solution.

   A secret published in a public code repository is considered compromised the moment it is exposed because anyone, including bots that continuously scrape Git history, may have already harvested it, so the immediate priority is to revoke and rotate that credential at its source of trust before doing anything else, since deleting the file does not invalidate a key that has already been observed. Developing role-based security awareness training is a long-term cultural control that does nothing to neutralize the active exposure. Purging the code from public view feels intuitive but Git history, forks, and third-party mirrors mean the secret cannot be considered erased; only revocation closes the door. Running a SAST scan helps discover other issues going forward but is a detection step, not a remediation, and the question asks what to do first to remediate the live vulnerability.

Other CompTIA SecurityX domains

• Governance, Risk, and Compliance (15 questions)
• Security Architecture (26 questions)
• Security Operations (26 questions)