CompTIA Security+ – Cybersecurity Concepts Practice Exam Updated 2026 |
Complete Study Guide with Verified Questions and Detailed Rationales Covering
Threats, Attacks and Vulnerabilities, Network Security and Architecture, Identity
and Access Management (IAM), Cryptography and PKI, Risk Management and
Governance, Security Operations and Incident Response, Secure Network
Protocols, Cloud and Virtualization Security, Zero Trust Principles, and Scenario-
Based Questions for CompTIA Security+ Certification Exam Success
Question 1: Which of the following BEST describes the principle of least privilege in
cybersecurity?
A. Granting users maximum access to ensure productivity
B. Providing users only the access necessary to perform their job functions
C. Requiring multiple approvals for all system access requests
D. Implementing biometric authentication for all user accounts
CORRECT ANSWER: B. Providing users only the access necessary to perform their
job functions
RATIONALE:The principle of least privilege is a fundamental security concept that
minimizes potential damage by ensuring users, processes, and systems have only the
minimum levels of access needed to perform authorized tasks. This reduces the attack
surface and limits lateral movement in case of compromise.
Question 2: An attacker sends fraudulent emails appearing to come from a
legitimate financial institution to trick recipients into revealing credentials. This
attack is BEST classified as:
A. Phishing
B. Spear phishing
C. Whaling
D. Vishing
CORRECT ANSWER: A. Phishing
RATIONALE:Phishing is a broad social engineering attack where attackers send
deceptive communications, typically emails, masquerading as trustworthy entities to
steal sensitive information. Spear phishing targets specific individuals, whaling targets
executives, and vishing uses voice calls.
Question 3: Which cryptographic concept ensures that data has not been altered
during transmission?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation
CORRECT ANSWER: B. Integrity
,RATIONALE:Integrity ensures that information remains accurate and unaltered during
storage, processing, or transmission. Cryptographic hash functions and message
authentication codes (MACs) are commonly used to verify data integrity.
Question 4: A security administrator implements a solution that inspects incoming
and outgoing network traffic based on predetermined security rules. This solution
is BEST described as:
A. Intrusion Detection System (IDS)
B. Firewall
C. Honeypot
D. Proxy server
CORRECT ANSWER: B. Firewall
RATIONALE:A firewall is a network security device that monitors and filters network
traffic based on predetermined security rules. It establishes a barrier between trusted
internal networks and untrusted external networks, controlling traffic flow to prevent
unauthorized access.
Question 5: Which of the following malware types replicates itself to spread to
other computers without user intervention?
A. Trojan
B. Worm
C. Ransomware
D. Spyware
CORRECT ANSWER: B. Worm
RATIONALE:Worms are self-replicating malware that spread across networks without
requiring user interaction. Unlike viruses that need a host file, worms exploit network
vulnerabilities to propagate independently, often consuming bandwidth and system
resources.
Question 6: In the CIA triad, what does the "A" stand for?
A. Authentication
B. Authorization
C. Availability
D. Accountability
CORRECT ANSWER: C. Availability
RATIONALE:The CIA triad represents the three core principles of information security:
Confidentiality (protecting data from unauthorized access), Integrity (ensuring data
accuracy), and Availability (ensuring authorized users can access data when needed).
Question 7: Which authentication factor is represented by a smart card?
,A. Something you know
B. Something you have
C. Something you are
D. Somewhere you are
CORRECT ANSWER: B. Something you have
RATIONALE:Multi-factor authentication uses different categories: "something you
know" (passwords), "something you have" (smart cards, tokens), "something you are"
(biometrics), and "somewhere you are" (location). Smart cards are physical possession-
based authentication factors.
Question 8: A company implements a security model where no user or device is
trusted by default, even if inside the network perimeter. This approach is known as:
A. Defense in depth
B. Zero Trust
C. Role-based access control
D. Mandatory access control
CORRECT ANSWER: B. Zero Trust
RATIONALE:Zero Trust is a security framework requiring strict identity verification for
every person and device accessing resources on a network, regardless of whether they
are inside or outside the network perimeter. It operates on the principle of "never trust,
always verify."
Question 9: Which of the following is a symmetric encryption algorithm?
A. RSA
B. ECC
C. AES
D. Diffie-Hellman
CORRECT ANSWER: C. AES
RATIONALE:AES (Advanced Encryption Standard) is a symmetric encryption algorithm
using the same key for encryption and decryption. RSA, ECC, and Diffie-Hellman are
asymmetric algorithms using public/private key pairs.
Question 10: What is the PRIMARY purpose of a salt in password hashing?
A. To encrypt the password during transmission
B. To prevent rainbow table attacks by adding randomness
C. To compress the password for storage efficiency
D. To enable password recovery functionality
CORRECT ANSWER: B. To prevent rainbow table attacks by adding randomness
, RATIONALE:A salt is random data added to a password before hashing. It ensures that
identical passwords produce different hash values, defeating precomputed rainbow
table attacks and forcing attackers to crack each password individually.
Question 11: Which network attack involves overwhelming a target with traffic to
make it unavailable to legitimate users?
A. Man-in-the-middle
B. SQL injection
C. Distributed Denial of Service (DDoS)
D. Cross-site scripting
CORRECT ANSWER: C. Distributed Denial of Service (DDoS)
RATIONALE:A DDoS attack floods a target system, server, or network with excessive
traffic from multiple sources, exhausting resources and preventing legitimate users
from accessing services. It exploits the availability principle of the CIA triad.
Question 12: Which protocol provides secure remote login and command
execution over an unsecured network?
A. Telnet
B. FTP
C. SSH
D. HTTP
CORRECT ANSWER: C. SSH
RATIONALE:SSH (Secure Shell) provides encrypted remote login and command
execution, protecting data confidentiality and integrity. Telnet, FTP, and HTTP transmit
data in plaintext, making them vulnerable to eavesdropping.
Question 13: A security team conducts a test where they attempt to exploit
vulnerabilities in a system with explicit permission. This activity is BEST described
as:
A. Vulnerability scanning
B. Penetration testing
C. Risk assessment
D. Security auditing
CORRECT ANSWER: B. Penetration testing
RATIONALE:Penetration testing involves authorized, simulated cyberattacks to identify
and exploit vulnerabilities, assessing real-world security posture. Vulnerability scanning
identifies potential weaknesses without exploitation, while risk assessment and
auditing are broader evaluation processes.
Question 14: Which of the following BEST describes a zero-day vulnerability?
Complete Study Guide with Verified Questions and Detailed Rationales Covering
Threats, Attacks and Vulnerabilities, Network Security and Architecture, Identity
and Access Management (IAM), Cryptography and PKI, Risk Management and
Governance, Security Operations and Incident Response, Secure Network
Protocols, Cloud and Virtualization Security, Zero Trust Principles, and Scenario-
Based Questions for CompTIA Security+ Certification Exam Success
Question 1: Which of the following BEST describes the principle of least privilege in
cybersecurity?
A. Granting users maximum access to ensure productivity
B. Providing users only the access necessary to perform their job functions
C. Requiring multiple approvals for all system access requests
D. Implementing biometric authentication for all user accounts
CORRECT ANSWER: B. Providing users only the access necessary to perform their
job functions
RATIONALE:The principle of least privilege is a fundamental security concept that
minimizes potential damage by ensuring users, processes, and systems have only the
minimum levels of access needed to perform authorized tasks. This reduces the attack
surface and limits lateral movement in case of compromise.
Question 2: An attacker sends fraudulent emails appearing to come from a
legitimate financial institution to trick recipients into revealing credentials. This
attack is BEST classified as:
A. Phishing
B. Spear phishing
C. Whaling
D. Vishing
CORRECT ANSWER: A. Phishing
RATIONALE:Phishing is a broad social engineering attack where attackers send
deceptive communications, typically emails, masquerading as trustworthy entities to
steal sensitive information. Spear phishing targets specific individuals, whaling targets
executives, and vishing uses voice calls.
Question 3: Which cryptographic concept ensures that data has not been altered
during transmission?
A. Confidentiality
B. Integrity
C. Availability
D. Non-repudiation
CORRECT ANSWER: B. Integrity
,RATIONALE:Integrity ensures that information remains accurate and unaltered during
storage, processing, or transmission. Cryptographic hash functions and message
authentication codes (MACs) are commonly used to verify data integrity.
Question 4: A security administrator implements a solution that inspects incoming
and outgoing network traffic based on predetermined security rules. This solution
is BEST described as:
A. Intrusion Detection System (IDS)
B. Firewall
C. Honeypot
D. Proxy server
CORRECT ANSWER: B. Firewall
RATIONALE:A firewall is a network security device that monitors and filters network
traffic based on predetermined security rules. It establishes a barrier between trusted
internal networks and untrusted external networks, controlling traffic flow to prevent
unauthorized access.
Question 5: Which of the following malware types replicates itself to spread to
other computers without user intervention?
A. Trojan
B. Worm
C. Ransomware
D. Spyware
CORRECT ANSWER: B. Worm
RATIONALE:Worms are self-replicating malware that spread across networks without
requiring user interaction. Unlike viruses that need a host file, worms exploit network
vulnerabilities to propagate independently, often consuming bandwidth and system
resources.
Question 6: In the CIA triad, what does the "A" stand for?
A. Authentication
B. Authorization
C. Availability
D. Accountability
CORRECT ANSWER: C. Availability
RATIONALE:The CIA triad represents the three core principles of information security:
Confidentiality (protecting data from unauthorized access), Integrity (ensuring data
accuracy), and Availability (ensuring authorized users can access data when needed).
Question 7: Which authentication factor is represented by a smart card?
,A. Something you know
B. Something you have
C. Something you are
D. Somewhere you are
CORRECT ANSWER: B. Something you have
RATIONALE:Multi-factor authentication uses different categories: "something you
know" (passwords), "something you have" (smart cards, tokens), "something you are"
(biometrics), and "somewhere you are" (location). Smart cards are physical possession-
based authentication factors.
Question 8: A company implements a security model where no user or device is
trusted by default, even if inside the network perimeter. This approach is known as:
A. Defense in depth
B. Zero Trust
C. Role-based access control
D. Mandatory access control
CORRECT ANSWER: B. Zero Trust
RATIONALE:Zero Trust is a security framework requiring strict identity verification for
every person and device accessing resources on a network, regardless of whether they
are inside or outside the network perimeter. It operates on the principle of "never trust,
always verify."
Question 9: Which of the following is a symmetric encryption algorithm?
A. RSA
B. ECC
C. AES
D. Diffie-Hellman
CORRECT ANSWER: C. AES
RATIONALE:AES (Advanced Encryption Standard) is a symmetric encryption algorithm
using the same key for encryption and decryption. RSA, ECC, and Diffie-Hellman are
asymmetric algorithms using public/private key pairs.
Question 10: What is the PRIMARY purpose of a salt in password hashing?
A. To encrypt the password during transmission
B. To prevent rainbow table attacks by adding randomness
C. To compress the password for storage efficiency
D. To enable password recovery functionality
CORRECT ANSWER: B. To prevent rainbow table attacks by adding randomness
, RATIONALE:A salt is random data added to a password before hashing. It ensures that
identical passwords produce different hash values, defeating precomputed rainbow
table attacks and forcing attackers to crack each password individually.
Question 11: Which network attack involves overwhelming a target with traffic to
make it unavailable to legitimate users?
A. Man-in-the-middle
B. SQL injection
C. Distributed Denial of Service (DDoS)
D. Cross-site scripting
CORRECT ANSWER: C. Distributed Denial of Service (DDoS)
RATIONALE:A DDoS attack floods a target system, server, or network with excessive
traffic from multiple sources, exhausting resources and preventing legitimate users
from accessing services. It exploits the availability principle of the CIA triad.
Question 12: Which protocol provides secure remote login and command
execution over an unsecured network?
A. Telnet
B. FTP
C. SSH
D. HTTP
CORRECT ANSWER: C. SSH
RATIONALE:SSH (Secure Shell) provides encrypted remote login and command
execution, protecting data confidentiality and integrity. Telnet, FTP, and HTTP transmit
data in plaintext, making them vulnerable to eavesdropping.
Question 13: A security team conducts a test where they attempt to exploit
vulnerabilities in a system with explicit permission. This activity is BEST described
as:
A. Vulnerability scanning
B. Penetration testing
C. Risk assessment
D. Security auditing
CORRECT ANSWER: B. Penetration testing
RATIONALE:Penetration testing involves authorized, simulated cyberattacks to identify
and exploit vulnerabilities, assessing real-world security posture. Vulnerability scanning
identifies potential weaknesses without exploitation, while risk assessment and
auditing are broader evaluation processes.
Question 14: Which of the following BEST describes a zero-day vulnerability?
