CCNA Logical Security Concepts Questions

30 questions · Logical Security Concepts · All types, answers revealed

1
MCQmedium

A company is implementing a new policy that requires users to authenticate using both a password and a one-time code sent to their mobile phone. What type of authentication factor is the one-time code?

A.Something you are
B.Something you know
C.Something you have
D.Somewhere you are
AnswerC

The one-time code is delivered to a device (the phone) that the user possesses, making it a 'something you have' factor.

Why this answer

Authentication factors are categorized as something you know (password), something you have (token or phone), and something you are (biometrics). A one-time code sent to a mobile phone is considered 'something you have' because access to the phone is required. This question tests the classification of multi-factor authentication components.

2
MCQmedium

A technician is configuring a small office network and wants to ensure that guest users can access the internet but cannot connect to internal company resources like file servers or printers. Which logical security method should be implemented?

A.Enable MAC address filtering on the wireless access point.
B.Implement a guest VLAN that is isolated from the internal network.
C.Require a complex password for the guest Wi-Fi network.
D.Disable the SSID broadcast for the guest network.
AnswerB

A guest VLAN creates a separate logical network segment, allowing internet access while blocking access to internal resources via routing rules.

Why this answer

Option B is correct because a guest VLAN configured with access control lists (ACLs) or private VLAN features isolates guest traffic from the internal corporate VLAN. This ensures guest users can reach the internet via a default gateway or NAT while being unable to route or bridge to internal subnets containing file servers or printers. This is a standard logical segmentation method defined in IEEE 802.1Q.

Exam trap

In CompTIA A+ exams, candidates often confuse access control methods like passwords or SSID hiding with true network segmentation. The key is that logical segmentation via VLANs isolates traffic at Layer 2, whereas authentication and association controls only restrict who can connect, not what they can access once connected.

How to eliminate wrong answers

Option A is wrong because MAC address filtering only controls which devices can associate with the wireless network; it does not restrict access to internal resources once a device is connected. Option C is wrong because a complex password only authenticates users to the Wi-Fi network; it does not prevent authenticated guest users from accessing internal subnets. Option D is wrong because disabling SSID broadcast merely hides the network name from beacon frames; it does not provide any logical separation between guest and internal traffic.

3
MCQhard

A user reports that they can no longer access the internet after installing a new software application. The technician suspects the application modified system settings. Which security feature could have prevented this?

A.Windows Defender Firewall
B.User Account Control (UAC)
C.BitLocker Drive Encryption
D.Windows Defender Antivirus
AnswerB

UAC prompts for administrator approval before system changes, which could have blocked the application from modifying settings.

Why this answer

User Account Control (UAC) is the correct answer because it is specifically designed to prevent unauthorized changes to system settings by prompting for administrator approval before allowing software to make modifications that affect system-wide configurations, such as network or security settings. When a new application attempts to modify system settings (e.g., proxy, DNS, or firewall rules) without explicit consent, UAC can block or require elevation, thus preventing the reported internet access issue. This aligns with the scenario where the technician suspects the application altered system settings, as UAC directly controls privilege escalation for such actions.

Exam trap

CompTIA A+ exams often test the misconception that a firewall (Option A) can prevent unauthorized system modifications, but the trap here is that firewalls only control network traffic, not local system setting changes, which is a distinct security function handled by UAC.

How to eliminate wrong answers

Option A is wrong because Windows Defender Firewall is a host-based packet filter that controls inbound and outbound network traffic based on rules, but it does not prevent software from modifying system settings like proxy or DNS configurations; it only blocks or allows network connections. Option C is wrong because BitLocker Drive Encryption is a full-disk encryption feature that protects data at rest by encrypting the entire drive, but it has no mechanism to prevent software from altering system settings or network configurations. Option D is wrong because Windows Defender Antivirus is a malware detection and removal tool that scans for known malicious signatures and behaviors, but it does not inherently block legitimate software from changing system settings unless the change is identified as malicious by heuristic analysis, which is not guaranteed for non-malicious applications.

4
MCQhard

During a routine security scan, a technician finds that a user's workstation has an open port 3389 that is accessible from the internet. The user denies enabling Remote Desktop. What is the most likely security implication and immediate action?

A.The port is likely used by a legitimate application; no action is needed.
B.Disable the Remote Desktop service and block port 3389 at the firewall immediately.
C.Change the RDP listening port to a non-standard port to hide it.
D.Enable Network Level Authentication (NLA) on the workstation.
AnswerB

Disabling the service and blocking the port at the firewall are the correct immediate steps to eliminate the exposure, followed by an investigation into how it was enabled.

Why this answer

Port 3389 is the default port for Remote Desktop Protocol (RDP). An open RDP port accessible from the internet is a critical security risk because it exposes the workstation to brute-force attacks, credential theft, and remote exploitation (e.g., BlueKeep, CVE-2019-0708). The immediate action is to disable the Remote Desktop service and block port 3389 at the firewall, as the user denies enabling it, indicating possible unauthorized activation or malware.

Exam trap

CompTIA A+ exams often test the misconception that changing a default port or enabling additional authentication is sufficient to secure an exposed service, when the correct immediate action is to close the port and disable the service entirely.

How to eliminate wrong answers

Option A is wrong because port 3389 is exclusively assigned to RDP by IANA; no legitimate internet-facing application uses this port by default, and leaving it open invites exploitation. Option C is wrong because changing the listening port to a non-standard port is security through obscurity and does not address the root cause; attackers can still discover the port via scanning and the service remains vulnerable. Option D is wrong because enabling Network Level Authentication (NLA) only adds an authentication layer but does not prevent exposure to the internet; the port remains open and accessible, still allowing brute-force or vulnerability-based attacks.

5
MCQeasy

A user reports that their workstation is running slowly and they see a pop-up claiming their files are encrypted and a ransom must be paid. They cannot open any documents. What type of malware is most likely responsible?

A.Spyware
B.Ransomware
C.Trojan horse
D.Rootkit
AnswerB

Ransomware encrypts files and displays a ransom demand, which perfectly matches the symptoms described.

Why this answer

Ransomware encrypts files and demands payment for decryption. This scenario describes classic ransomware behavior, where the user is locked out of their data and a ransom note is displayed.

6
MCQeasy

A small business wants to ensure that only authorized personnel can access the server room. The budget is limited, and they need a simple, cost-effective solution. Which logical security control should they implement first?

A.Install a biometric fingerprint scanner on the door.
B.Require a smart card or key fob to unlock the door.
C.Implement a strong password policy for all user accounts.
D.Hire a security guard to check IDs at the entrance.
AnswerB

Smart cards or key fobs are relatively inexpensive, easy to manage, and provide a logical access control mechanism that can be quickly revoked if lost.

Why this answer

A smart card or key fob provides a simple, cost-effective logical access control for the server room door. It authenticates users via a physical token and a PIN or proximity reader, which is far cheaper than biometric systems and more reliable than a password policy that doesn't control physical entry. This directly restricts physical access to authorized personnel without ongoing costs like a security guard.

Exam trap

CompTIA often tests the distinction between logical and physical security controls, and the trap here is that candidates confuse a strong password policy (a logical control for user accounts) with a physical access control mechanism for a server room door.

How to eliminate wrong answers

Option A is wrong because biometric fingerprint scanners are significantly more expensive to purchase, install, and maintain, and they often require ongoing calibration and user enrollment, making them unsuitable for a limited budget. Option C is wrong because a strong password policy controls logical access to user accounts and network resources, not physical entry to a server room; it does not prevent an unauthorized person from walking through the door. Option D is wrong because hiring a security guard is a recurring, high-cost solution that exceeds the limited budget and is not a logical security control—it is a physical security measure.

7
MCQmedium

During a security audit, you find that a user's workstation has a USB device that automatically logs in to a cloud storage account when inserted. What security best practice is being violated?

A.Password complexity requirements
B.Account lockout policies
C.Disabling auto-run
D.Enforcing screen locks
AnswerC

Disabling auto-run prevents devices from automatically executing code, which stops this type of automatic login.

Why this answer

USB auto-run devices can bypass authentication and pose a security risk. Disabling auto-run prevents unauthorized access and malware from executing automatically, which is a key security practice.

8
MCQmedium

A technician is setting up a new wireless network for a small office. They want to ensure that only company-issued devices can connect, and that data transmitted over the air is encrypted. Which combination of settings should they use?

A.WPA2 with TKIP encryption and SSID broadcast disabled.
B.WPA3 with AES encryption and MAC address filtering.
C.WEP with 128-bit key and a strong password.
D.Open network with a captive portal requiring employee login.
AnswerB

WPA3 with AES provides strong encryption, and MAC filtering restricts access to approved devices.

Why this answer

Option B is correct because WPA3 with AES encryption provides the strongest wireless security standard, ensuring robust data confidentiality and integrity. MAC address filtering adds an additional layer of access control, allowing only company-issued devices (with pre-approved MAC addresses) to connect, which aligns with the requirement to restrict access to authorized devices.

Exam trap

A common misconception is that disabling SSID broadcast or using MAC filtering alone provides strong security, but the trap here is that encryption (WPA3 with AES) is the primary defense, and MAC filtering is only a supplementary control, not a replacement for encryption.

How to eliminate wrong answers

Option A is wrong because WPA2 with TKIP encryption is outdated and insecure; TKIP is deprecated and vulnerable to attacks like Michael and Beck-Tews, and disabling SSID broadcast only hides the network name, not preventing determined attackers from discovering it. Option C is wrong because WEP with any key length, including 128-bit, is fundamentally broken and can be cracked in minutes using tools like aircrack-ng, providing no real security. Option D is wrong because an open network with a captive portal does not encrypt data transmitted over the air, leaving it vulnerable to eavesdropping and man-in-the-middle attacks, and it does not prevent unauthorized devices from associating with the network.

9
MCQmedium

A company requires that all sensitive data be encrypted when stored on laptops. Which technology should be implemented to ensure data is protected even if a laptop is stolen?

A.File-level encryption using EFS
B.BitLocker Drive Encryption
C.TPM chip only
D.Secure Boot
AnswerB

BitLocker provides full disk encryption, protecting all data on the drive, which is ideal for stolen laptops.

Why this answer

BitLocker Drive Encryption provides full-volume encryption that protects all data on the system drive, including the operating system, applications, and user files. Even if a laptop is stolen and the hard drive is removed, the data remains inaccessible without the correct recovery key or authentication credentials, ensuring compliance with data protection requirements.

Exam trap

The trap here is that candidates often confuse file-level encryption (EFS) with full-disk encryption, mistakenly believing that encrypting individual files provides sufficient protection for an entire stolen laptop, when in fact EFS leaves system files, temporary files, and the pagefile unencrypted and vulnerable.

How to eliminate wrong answers

Option A is wrong because file-level encryption using EFS (Encrypting File System) only encrypts individual files or folders and relies on the user's profile and certificate, which can be bypassed if an attacker gains administrative access or extracts the decryption keys from the operating system. Option C is wrong because a TPM chip alone does not encrypt data; it is a hardware component that stores cryptographic keys and can be used with BitLocker to enhance security, but without full-disk encryption software, the data on the drive remains unencrypted and readable. Option D is wrong because Secure Boot is a UEFI feature that verifies the integrity of the boot process to prevent unauthorized operating systems or malware from loading, but it does not encrypt any data on the storage device.

10
MCQhard

A company's security policy mandates that all remote access connections must be authenticated using two different factors. A technician is configuring VPN access for teleworkers. Which combination meets this requirement?

A.Username and password only.
B.Smart card and PIN.
C.Biometric fingerprint and a PIN.
D.Two different passwords.
AnswerB, C

Correct. A smart card (something you have) plus a PIN (something you know) constitutes two distinct factors.

Why this answer

Option B (smart card + PIN) uses something you have and something you know, while option C (biometric fingerprint + PIN) uses something you are and something you know. Both combinations satisfy the mandate for two different authentication factors, making both correct. The question does not prioritize one over the other based on practical implementation.

Exam trap

Candidates may think that only the smart card + PIN combination is valid because it's the most common in enterprise VPN setups. However, the question's requirement is simply 'two different factors,' which both B and C meet.

How to eliminate wrong answers

Option A is wrong because username and password are both 'something you know' factors, representing only a single authentication factor, not two different factors. Option C is wrong because biometric fingerprint (something you are) and a PIN (something you know) are two different factors, but the question specifies a smart card and PIN as the correct combination; however, the trap is that biometrics are often considered a valid second factor, but the exam expects the specific pairing of smart card and PIN as the correct answer. Option D is wrong because two different passwords are still both 'something you know' factors, providing only one factor type and no second factor.

11
MCQhard

An organization wants to ensure that even if a laptop is stolen, the data on the hard drive cannot be read. The laptop runs Windows 10 Pro and is used by employees who travel frequently. Which security feature should be enabled?

A.Enable BitLocker Drive Encryption on the system drive.
B.Set a strong BIOS/UEFI password.
C.Configure a screensaver password with a short timeout.
D.Use EFS to encrypt individual files and folders.
AnswerA

BitLocker encrypts the entire drive, ensuring that if the laptop is stolen, the data cannot be accessed without the recovery key or TPM authentication.

Why this answer

BitLocker Drive Encryption is the correct choice because it encrypts the entire system drive at the block level, using AES encryption (typically 128-bit or 256-bit) with a TPM (Trusted Platform Module) to protect the encryption keys. This ensures that if the laptop is stolen, the hard drive cannot be removed and read from another system, as the data remains encrypted without the correct authentication (e.g., TPM + PIN or recovery key).

Exam trap

CompTIA A+ often tests the distinction between encryption at rest (BitLocker) and access control (BIOS password, screensaver) or partial encryption (EFS), leading candidates to choose a non-encryption option that does not protect data when the drive is physically removed.

How to eliminate wrong answers

Option B is wrong because a strong BIOS/UEFI password only prevents unauthorized booting or changes to firmware settings, but it does not encrypt the hard drive; an attacker can remove the drive and read its data directly from another machine. Option C is wrong because a screensaver password with a short timeout only locks the user session when idle, but it does not protect data if the laptop is stolen while powered off or if the drive is removed; it also does not encrypt the drive. Option D is wrong because EFS (Encrypting File System) encrypts only individual files and folders at the file system level, not the entire drive, and it relies on the user's Windows profile, which can be bypassed if the drive is removed or if the user account is compromised; it also does not protect system files or the pagefile.

12
MCQmedium

A technician is configuring a new firewall for a small office. They need to allow remote employees to securely access the internal network. Which technology should be enabled on the firewall?

A.Port forwarding
B.VPN passthrough
C.VPN server
D.DMZ
AnswerC

A VPN server on the firewall enables remote users to establish encrypted connections to the internal network.

Why this answer

A VPN server on the firewall enables secure remote access by encrypting traffic between remote employees and the internal network, typically using protocols like IPsec or SSL/TLS. This provides authenticated, encrypted tunnels that protect data in transit, which is the standard solution for secure remote connectivity.

Exam trap

The trap here is that candidates confuse 'VPN passthrough' (which only forwards existing VPN traffic) with 'VPN server' (which terminates and creates VPN connections), leading them to select option B when the question explicitly asks for enabling secure remote access.

How to eliminate wrong answers

Option A is wrong because port forwarding only redirects external traffic to a specific internal IP/port without encryption or authentication, exposing internal services directly to the internet. Option B is wrong because VPN passthrough merely allows existing VPN traffic (from a client to an external VPN server) to traverse the firewall, it does not terminate or create a VPN connection for remote employees. Option D is wrong because a DMZ is a separate network segment for public-facing servers, not a mechanism for secure remote access to the internal network.

13
MCQeasy

A user reports that they can no longer access their encrypted files after a recent password change. The files were encrypted using EFS on a Windows 10 Pro workstation. What is the most likely cause of this issue?

A.The user changed the password via Ctrl+Alt+Del, which invalidates the EFS certificate.
B.The user did not back up their EFS certificate before changing the password.
C.The user's account was removed from the local Administrators group during the password change.
D.The hard drive has a hardware failure that corrupted the encrypted files.
AnswerB

EFS uses a certificate tied to the user's password. Without a backup, changing the password can render the encryption key inaccessible, requiring a recovery agent or certificate import.

Why this answer

EFS (Encrypting File System) uses a per-user certificate that is tied to the user's password hash. When a user changes their password without first backing up the EFS certificate, the system may lose access to the private key because the certificate's master key is encrypted with the old password hash. Without a backup of the certificate and private key, the encrypted files become permanently inaccessible.

Exam trap

The trap here is that candidates often think password changes via Ctrl+Alt+Del are safe or that EFS certificates are automatically updated, when in fact the critical step is backing up the EFS certificate before any password change to avoid permanent data loss.

How to eliminate wrong answers

Option A is wrong because changing the password via Ctrl+Alt+Del does not invalidate the EFS certificate; the certificate remains valid, but the system may fail to decrypt the master key if the password change is not handled properly (e.g., via a domain controller or with a password reset disk). Option C is wrong because removing a user from the local Administrators group does not affect EFS decryption capabilities; EFS permissions are based on the user's certificate and private key, not group membership. Option D is wrong because a hardware failure would typically cause read/write errors or data corruption visible at the file system level, not a specific inability to decrypt files after a password change; EFS encryption is independent of physical disk health.

14
MCQmedium

During a security audit, an administrator discovers that several employees have written their domain passwords on sticky notes attached to their monitors. The company policy requires strong passwords and prohibits sharing credentials. Which security principle is being violated?

A.Principle of least privilege
B.Account lockout policy
C.Password confidentiality
D.Multi-factor authentication
AnswerC

Password confidentiality requires that passwords be known only to the authorized user. Writing them on sticky notes compromises this by making them visible to others.

Why this answer

Password confidentiality is the principle that passwords must be kept secret and known only to the authorized user. By writing domain passwords on sticky notes attached to monitors, employees are exposing credentials to anyone with physical access, directly violating this principle. The company policy explicitly prohibits sharing credentials, and this practice undermines the security of the domain authentication system.

Exam trap

CompTIA A+ often tests the distinction between password confidentiality (keeping passwords secret) and other security controls like least privilege or MFA, leading candidates to confuse the principle of not sharing credentials with access restriction or authentication methods.

How to eliminate wrong answers

Option A is wrong because the principle of least privilege restricts user access rights to only what is necessary for their job functions, not how passwords are stored or shared. Option B is wrong because an account lockout policy defines the number of failed login attempts before an account is temporarily disabled, which is unrelated to the physical exposure of passwords. Option D is wrong because multi-factor authentication (MFA) requires two or more verification factors (e.g., password plus token), but the violation here is the failure to keep the password confidential, not the absence of additional authentication layers.

15
MCQmedium

A user calls the help desk saying they cannot access a shared folder on the network. They can access other shares on the same server. The technician verifies the user's account is active and the folder exists. What should the technician check next to resolve the access issue?

A.Check if the user's password has expired.
B.Verify the user has been added to the local Administrators group.
C.Review the NTFS permissions on the shared folder.
D.Reboot the file server to clear any cached permissions.
AnswerC

NTFS permissions can deny access to specific users even if share permissions allow it, explaining the isolated issue.

Why this answer

Since the user can access other shares on the same server, the issue is isolated to a specific shared folder. NTFS permissions control access at the folder level independently of share permissions, and a missing or incorrect NTFS entry for the user would block access even if the share permissions are open. The technician should review the NTFS permissions on that folder to ensure the user or their group has at least Read access.

Exam trap

A common trap is to assume that share permissions alone control access, but NTFS permissions are the granular layer that can block a user even when share permissions are permissive and other folders work.

How to eliminate wrong answers

Option A is wrong because the user can access other shares on the same server, so an expired password would block all network access, not just one folder. Option B is wrong because adding a user to the local Administrators group grants excessive privileges and is not required for folder access; it would not resolve a missing NTFS permission entry. Option D is wrong because rebooting the server clears cached permissions only temporarily and does not fix the underlying permission configuration; the issue will recur after the reboot.

16
MCQmedium

A user receives an email that appears to be from their bank, asking them to click a link and verify their account information due to 'suspicious activity.' The email address looks legitimate, but the link points to a different domain. What type of attack is this?

A.Spear phishing
B.Phishing
C.Whaling
D.Vishing
AnswerB

Phishing is a broad term for fraudulent emails attempting to obtain sensitive data by posing as a legitimate entity, matching the scenario exactly.

Why this answer

This is a classic phishing attack because the email uses social engineering to trick the user into clicking a link that leads to a fraudulent domain, even though the sender's address appears legitimate. Phishing is a broad category of social engineering where attackers impersonate a trusted entity to steal credentials or sensitive information, and the mismatched link is the key indicator.

Exam trap

CompTIA A+ often tests the distinction between generic phishing and targeted variants like spear phishing or whaling, and the trap here is that candidates see a legitimate-looking sender address and assume it's spear phishing, missing the broad, unsolicited nature of the attack.

How to eliminate wrong answers

Option A is wrong because spear phishing targets a specific individual or organization with personalized details, whereas this scenario describes a generic email sent to any user. Option C is wrong because whaling targets high-profile executives or senior management, not a general user. Option D is wrong because vishing (voice phishing) uses phone calls or voicemail, not email, to deceive victims.

17
MCQmedium

A technician is configuring a new employee's laptop and needs to ensure that only approved applications can run. The company wants to prevent users from installing unauthorized software. Which security control should be implemented?

A.Enable Windows Defender real-time protection.
B.Set the user account as a Standard User.
C.Configure an application whitelist using AppLocker.
D.Disable the Windows Store.
AnswerC

AppLocker enforces a whitelist, allowing only specified applications to run, directly meeting the requirement.

Why this answer

AppLocker is a Windows security feature that allows administrators to create rules that explicitly permit only approved applications to run, effectively blocking all others. This is the correct control for preventing unauthorized software installation because it enforces an application whitelist at the kernel level, overriding user permissions. Standard User accounts or antivirus alone cannot prevent execution of approved-but-unauthorized binaries, making AppLocker the precise solution for this requirement.

Exam trap

CompTIA expects you to recognize that while Standard User accounts limit some installations, AppLocker is the specific control for application whitelisting. The common pitfall is assuming user permissions alone can block all unauthorized software.

How to eliminate wrong answers

Option A is wrong because Windows Defender real-time protection is an antivirus/antimalware solution that detects and blocks malicious software based on signatures and behavior, not a mechanism to restrict execution to only approved applications; it does not prevent a user from running a non-malicious but unauthorized application. Option B is wrong because setting the user account as a Standard User limits system-level changes but does not prevent the user from running any executable they have access to; a standard user can still launch unauthorized applications from their profile or removable media. Option D is wrong because disabling the Windows Store only blocks installation of Store apps, but does not prevent installation or execution of traditional Win32 executables, scripts, or other software from any other source.

18
MCQhard

A company's security policy requires that user accounts be disabled after 90 days of inactivity. An administrator needs to implement this automatically. Which feature should they configure?

A.Password expiration policy
B.Account lockout threshold
C.User account expiration
D.Group Policy refresh interval
AnswerC

User account expiration can be set to disable accounts after a specific date or period of inactivity, meeting the requirement.

Why this answer

User account expiration allows an administrator to set a specific date or, in some directory services like Active Directory, a duration after which the account is automatically disabled. By configuring the account to expire after 90 days from the last logon, the policy requirement is met automatically without manual intervention.

Exam trap

CompTIA often tests the distinction between account expiration (which disables an account after a set date) and account lockout (which disables after failed logins), leading candidates to confuse inactivity-based disabling with lockout policies.

How to eliminate wrong answers

Option A is wrong because password expiration policy forces users to change passwords periodically but does not disable accounts after inactivity; it only enforces password age limits. Option B is wrong because account lockout threshold disables an account after a specified number of failed login attempts, not after a period of inactivity. Option D is wrong because Group Policy refresh interval controls how often client computers update Group Policy settings, not the disabling of user accounts based on inactivity.

19
MCQmedium

During a security audit, it is discovered that a former employee's user account is still active and has been used to log in remotely three times in the past month. Which logical security principle has been violated?

A.Separation of duties
B.Least privilege
C.Defense in depth
D.Mandatory access control
AnswerB

The former employee no longer needs any access, so the account violates least privilege by still having permissions.

Why this answer

The correct answer is B, least privilege. The principle of least privilege requires that users be granted only the minimum access rights necessary to perform their job functions. A former employee's account remaining active and being used for remote logins violates this principle because the account should have been disabled or deleted upon termination, removing all access privileges.

Exam trap

CompTIA often tests least privilege by presenting a scenario involving account termination or excessive permissions, and the trap here is confusing it with separation of duties, which focuses on task division rather than access minimization.

How to eliminate wrong answers

Option A is wrong because separation of duties involves dividing critical tasks among multiple users to prevent fraud or error, not managing account lifecycles. Option C is wrong because defense in depth is a layered security strategy using multiple controls (e.g., firewalls, IDS, encryption), not a principle about individual user access rights. Option D is wrong because mandatory access control (MAC) is a system-enforced policy based on labels and clearances (e.g., in SELinux or classified systems), not about disabling accounts after employment ends.

20
MCQeasy

A small business wants to ensure that only authorized employees can access the file server from their laptops. Each laptop has a unique MAC address. Which security measure should be implemented on the network switch?

A.Disable SSID broadcast
B.Enable WPA3 encryption
C.Configure MAC filtering
D.Change the default admin password
AnswerC

MAC filtering allows only devices with approved MAC addresses to access the network, meeting the requirement.

Why this answer

Option C is correct because MAC filtering on a network switch allows the administrator to create an access control list (ACL) that permits or denies traffic based on the source MAC address. By configuring the switch to allow only the MAC addresses of authorized employee laptops, the small business can restrict file server access to those specific devices, even if they connect via a wired Ethernet port.

Exam trap

The trap here is that candidates confuse wireless security features (SSID, WPA3) with wired network access controls, or they mistakenly think changing the admin password restricts user access to network resources rather than just protecting the switch itself.

How to eliminate wrong answers

Option A is wrong because disabling SSID broadcast is a wireless security measure that hides the network name from beacon frames; it does not control access on a wired switch and does not authenticate individual laptops. Option B is wrong because WPA3 encryption is a Wi-Fi security protocol for wireless networks, not a feature that can be configured on a wired Ethernet switch to filter traffic by MAC address. Option D is wrong because changing the default admin password protects the switch's management interface from unauthorized configuration changes, but it does not enforce per-device access control to the file server.

21
MCQeasy

An employee receives an email that appears to be from the CEO, asking them to urgently wire funds to a new vendor. The email address looks similar to the CEO's but has a slight typo. What type of social engineering attack is this?

A.Phishing
B.Whaling
C.Spear phishing
D.Vishing
AnswerB

Whaling is a targeted phishing attack against high-profile individuals like the CEO, often involving impersonation.

Why this answer

B is correct because whaling is a targeted phishing attack aimed at high-profile individuals like the CEO or CFO, often using a fake but similar email address to request urgent financial transfers. The slight typo in the email address (e.g., ceo@company.com vs. ceo@cornpany.com) is a classic whaling tactic to bypass casual inspection, exploiting the authority of the executive to pressure the victim into bypassing normal verification procedures.

Exam trap

CompTIA A+ often tests the distinction between spear phishing and whaling by making candidates recognize that whaling is a specific type of spear phishing targeting executives, not just any targeted email attack.

How to eliminate wrong answers

Option A is wrong because phishing is a broad, untargeted attack sent to many users, often with generic messages (e.g., 'your account is compromised'), not a personalized request from a specific executive. Option C is wrong because spear phishing targets a specific individual or group but does not necessarily focus on high-level executives; whaling is a subset of spear phishing that specifically targets senior management. Option D is wrong because vishing (voice phishing) uses phone calls or voice messages, not email, to deceive victims into revealing sensitive information or performing actions like wire transfers.

22
MCQeasy

A user complains that their computer is running very slowly, and they see frequent pop-up ads even when no browser is open. They also notice a new toolbar in their browser that they did not install. What is the most likely security issue?

A.A rootkit has hidden itself in the system's firmware.
B.A worm is spreading through the network, consuming bandwidth.
C.The system is infected with adware that displays unsolicited advertisements.
D.A Trojan horse has stolen the user's banking credentials.
AnswerC

Adware is specifically designed to generate revenue through unwanted ads and often bundles toolbars, matching the user's description exactly.

Why this answer

The symptoms—pop-up ads without a browser open, an unwanted toolbar, and system slowdown—are classic indicators of adware. Adware is a type of potentially unwanted program (PUP) that displays intrusive advertisements, often by injecting ads into system processes or browser sessions, and can degrade performance by consuming CPU and memory resources.

Exam trap

CompTIA often tests the distinction between adware and other malware types by presenting symptoms that seem like a Trojan or rootkit, but the presence of unsolicited pop-ups and an unwanted toolbar specifically points to adware, not credential theft or stealthy persistence.

How to eliminate wrong answers

Option A is wrong because a rootkit is designed to hide its presence and maintain privileged access, not to display pop-up ads or install browser toolbars; firmware rootkits specifically target low-level system firmware (e.g., UEFI) and do not cause visible adware symptoms. Option B is wrong because a worm spreads autonomously across networks to replicate and consume bandwidth, but it does not typically install browser toolbars or generate pop-up ads on a single user's machine. Option D is wrong because a Trojan horse that steals banking credentials would focus on keylogging or form grabbing, not on displaying unsolicited advertisements or adding browser toolbars; those symptoms are unrelated to credential theft.

23
MCQeasy

A small business wants to ensure that only authorized employees can access the file server from their laptops. Each laptop has a unique hardware ID. Which logical security method should be implemented to enforce this restriction?

A.Require a complex password for the file server share.
B.Enable MAC address filtering on the network switch or router.
C.Install a host-based firewall on each laptop.
D.Disable the guest account on the file server.
AnswerB

MAC filtering ties access to the specific hardware addresses of the laptops, meeting the requirement.

Why this answer

MAC address filtering on the network switch or router allows the administrator to create an access control list (ACL) that permits only specific hardware MAC addresses to connect to the network. Since each laptop has a unique hardware ID (MAC address), this method directly ties network access to the authorized devices, ensuring only those laptops can reach the file server. This is a logical security control implemented at Layer 2 of the OSI model.

Exam trap

The trap here is that candidates often confuse user authentication (passwords) with device authentication (MAC filtering), assuming that a strong password alone can restrict access to specific hardware, when in fact passwords only verify the user, not the device.

How to eliminate wrong answers

Option A is wrong because requiring a complex password for the file server share authenticates the user, not the device; any user with the password could log in from an unauthorized laptop. Option C is wrong because a host-based firewall on each laptop controls inbound/outbound traffic on that laptop but does not restrict which laptops are allowed to access the file server from the network perspective. Option D is wrong because disabling the guest account on the file server prevents anonymous access but does not enforce device-specific authorization; authorized users could still connect from any laptop.

24
MCQeasy

A company policy requires that all sensitive data stored on laptops must be unreadable if the device is lost or stolen. A technician is tasked with implementing a solution that works transparently for users. Which approach should they take?

A.Enable BitLocker drive encryption on each laptop.
B.Set a BIOS password on each laptop.
C.Implement a folder-level password policy using EFS.
D.Configure a screensaver password with a 1-minute timeout.
AnswerA

BitLocker provides full disk encryption that protects data at rest and works transparently after unlock.

Why this answer

BitLocker drive encryption provides full-disk encryption that operates transparently to the user, automatically encrypting all data on the system drive. If the laptop is lost or stolen, the data remains unreadable without the decryption key, satisfying the policy requirement without requiring user intervention.

Exam trap

CompTIA often tests the distinction between access control (passwords, screen locks) and data-at-rest encryption; the trap here is confusing a screen lock or BIOS password with actual encryption, which does not protect data if the drive is physically removed.

How to eliminate wrong answers

Option B is wrong because a BIOS password only prevents unauthorized booting of the system, but does not encrypt the data on the drive; an attacker could remove the hard drive and access the data directly. Option C is wrong because EFS (Encrypting File System) encrypts individual files or folders, not the entire drive, and it does not work transparently for all users—it requires user-specific certificates and can leave system files or temporary data unencrypted. Option D is wrong because a screensaver password only locks the screen after inactivity, but does not encrypt any data; an attacker could boot from a live USB or remove the drive to read the data.

25
MCQmedium

A user receives an email from what appears to be their bank, asking them to click a link and verify their account due to suspicious activity. The email contains several spelling errors and the link points to an unfamiliar domain. What type of attack is this?

A.Spear phishing
B.Phishing
C.Whaling
D.Vishing
AnswerB

Phishing involves mass emails that appear from trusted sources to steal credentials, matching this scenario.

Why this answer

This is a classic phishing attack because the email is a mass, unsolicited message that impersonates a trusted entity (the bank) and uses social engineering to trick the recipient into clicking a malicious link. The presence of spelling errors and an unfamiliar domain are hallmark indicators of a generic phishing attempt, not a targeted attack. Phishing typically relies on volume and deception rather than personalized reconnaissance.

Exam trap

The CompTIA A+ exam often tests the distinction between generic phishing and spear phishing by including a scenario with obvious errors and no personalization, tricking candidates into overthinking and selecting 'spear phishing' because they misidentify the bank context as targeted.

How to eliminate wrong answers

Option A is wrong because spear phishing is a highly targeted attack that uses personalized information (e.g., the recipient's name, job title, or specific account details) to increase credibility, whereas this email lacks any such personalization and contains generic errors. Option C is wrong because whaling is a specific form of spear phishing that targets high-profile executives or individuals with authority, not a general user receiving a mass email. Option D is wrong because vishing (voice phishing) is conducted over voice calls or VoIP, not via email with a clickable link.

26
MCQhard

A server administrator notices that an unauthorized user has been accessing sensitive data by exploiting a vulnerability in a web application. The application was recently updated. What is the most likely cause of this security incident?

A.Weak password policy
B.Zero-day vulnerability
C.Misconfigured firewall
D.Social engineering attack
AnswerB

A zero-day vulnerability is an unpatched flaw that attackers can exploit, which fits the scenario of a recent update not addressing it.

Why this answer

The correct answer is B because the question states the application was recently updated, which implies the vulnerability was unknown to the vendor at the time of the update. A zero-day vulnerability is a flaw that is exploited before the vendor has released a patch, making it the most likely cause when an update fails to protect against a newly discovered attack vector.

Exam trap

The CompTIA A+ exam often tests the distinction between a vulnerability that is exploited before a patch exists (zero-day) and a vulnerability that exists despite an update (e.g., unpatched known vulnerability), so candidates may incorrectly choose a misconfiguration or weak password when the key clue is the recent update failing to prevent the exploit.

How to eliminate wrong answers

Option A is wrong because a weak password policy would typically lead to credential-based attacks (e.g., brute force or password spraying), not exploitation of a web application vulnerability. Option C is wrong because a misconfigured firewall would usually expose network services or allow unauthorized traffic at the network layer, not directly enable exploitation of an application-layer vulnerability in the web app itself. Option D is wrong because a social engineering attack relies on manipulating human behavior (e.g., phishing or pretexting) to gain access, not on exploiting a technical flaw in the application code.

27
MCQmedium

A user calls the help desk because they cannot access a shared folder on the network. The user's account is part of the 'Sales' group, which has 'Read' permission, but the user needs to modify files. What is the most efficient way to grant the required access?

A.Assign 'Full Control' to the user's account directly
B.Add the user to a group that has 'Modify' permission
C.Change the folder's sharing settings to 'Everyone' with 'Read/Write'
D.Remove the user from the Sales group and add them to a new group with 'Read' permission
AnswerB

Modify permission allows reading, writing, and deleting files, which meets the user's need without granting unnecessary rights.

Why this answer

Adding the user to a group with 'Modify' permissions is efficient because it avoids individual permission assignments and follows the principle of group-based access control. This ensures the user can edit files without overcomplicating permissions.

28
MCQhard

A technician discovers that a user has been sharing their login credentials with coworkers to allow them to access a shared drive. The company's security policy prohibits password sharing. What is the most effective way to prevent this behavior while still allowing necessary access?

A.Disable the user's account and create a generic shared account for the drive.
B.Implement a Group Policy that forces password changes every 30 days.
C.Configure the shared drive permissions using security groups and add the coworkers to the appropriate group.
D.Send a company-wide email reminding users not to share passwords.
AnswerC

This grants necessary access without sharing passwords, enforcing least privilege and accountability.

Why this answer

The root cause is that the shared drive access is tied to individual accounts, encouraging sharing. Implementing group-based permissions with proper access control lists (ACLs) allows the company to grant access to a group rather than an individual, eliminating the need to share passwords. Additionally, enforcing a policy of non-repudiation and using audit logs can deter sharing.

29
MCQeasy

A user reports that their workstation is running slowly and they see frequent pop-up ads even when no browser is open. They also notice a new toolbar in their system tray that they did not install. What is the most likely security issue?

A.A rootkit has hidden itself in the kernel.
B.The system has adware installed.
C.A ransomware encryption process has started.
D.The user's account has been phished and credentials stolen.
AnswerB

Adware commonly causes pop-up ads, slow performance, and unwanted toolbars, matching the symptoms exactly.

Why this answer

Adware is a type of malware that displays unwanted advertisements, often in the form of pop-ups or browser redirects, and may install toolbars or other unwanted software without the user's consent. The presence of a new toolbar in the system tray and frequent pop-ups even when no browser is open are classic indicators of adware infection, as adware often runs background processes to generate revenue through ad impressions.

Exam trap

The distinction between adware and other malware types is a common test point in CompTIA A+. Candidates may confuse adware with a rootkit because both can be persistent, but rootkits are stealthy and do not produce visible ads or toolbars.

How to eliminate wrong answers

Option A is wrong because a rootkit is designed to hide its presence and maintain privileged access at the kernel level, not to display pop-up ads or install visible toolbars; rootkits typically avoid drawing attention. Option C is wrong because ransomware typically encrypts files and displays a ransom note, not pop-up ads or toolbars, and the system would show signs of file encryption or lock screen rather than slow performance with ads. Option D is wrong because phishing and credential theft lead to unauthorized access to accounts, not the installation of adware or the appearance of pop-up ads and toolbars on the local workstation.

30
MCQhard

A company's security policy requires that all laptops have a TPM chip enabled and be configured to require a PIN at startup before the operating system loads. Which security feature is being configured?

A.Secure Boot
B.BitLocker with TPM and PIN protector
C.Windows Defender System Guard
D.Group Policy password complexity enforcement
AnswerB

BitLocker can use a TPM plus a PIN for pre-boot authentication, requiring both hardware validation and user input to unlock the drive.

Why this answer

The scenario describes using a TPM chip and requiring a PIN at startup before the OS loads. This is exactly how BitLocker's TPM+PIN protector works: the TPM validates the system integrity, and the PIN provides an additional factor of authentication, unlocking the drive encryption key before Windows boots. Option B is correct because it directly matches the described configuration.

Exam trap

The trap here is that candidates confuse Secure Boot (which only verifies bootloader integrity) with the full-disk encryption and pre-boot authentication provided by BitLocker with TPM+PIN.

How to eliminate wrong answers

Option A is wrong because Secure Boot ensures only signed firmware and bootloaders run, but it does not provide full-disk encryption or require a PIN at startup. Option C is wrong because Windows Defender System Guard is a set of hardware-backed security features (like credential guard) that protect the kernel and system integrity, but it does not encrypt the drive or require a PIN before the OS loads. Option D is wrong because Group Policy password complexity enforcement applies to user account passwords after the OS has loaded, not to a pre-boot PIN for drive decryption.

Ready to test yourself?

Try a timed practice session using only Logical Security Concepts questions.