CCNA Security Questions

36 questions · Security · All types, answers revealed

1
Matchingmedium

Match each troubleshooting step to its order in the CompTIA A+ methodology.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Step 1

Step 2

Step 3

Step 5

Why these pairings

Standard troubleshooting methodology.

2
MCQmedium

A user wants to prevent unauthorized access to their laptop if stolen. Which is the best method?

A.Antivirus
B.Use a strong password
C.Firewall
D.Enable BitLocker
AnswerD

BitLocker encrypts the entire drive, protecting data even if the laptop is stolen.

Why this answer

BitLocker is a full-disk encryption feature built into Windows that encrypts the entire drive, making data inaccessible without the decryption key. If the laptop is stolen, the thief cannot read any files even if they remove the hard drive and connect it to another system. This directly prevents unauthorized access to data, unlike other options that only protect against network or software threats.

Exam trap

The trap here is that candidates confuse authentication (password) with encryption (BitLocker), assuming a strong password alone protects data against physical theft, but it only protects against casual login attempts, not direct disk access.

How to eliminate wrong answers

Option A is wrong because antivirus software detects and removes malware but does not protect data if the laptop is physically stolen and the drive is accessed offline. Option B is wrong because a strong password only protects the OS login screen; a thief can bypass it by booting from a live USB or removing the hard drive to read data directly. Option C is wrong because a firewall controls network traffic but offers no protection against physical theft or offline access to the storage device.

3
Multi-Selecteasy

Which two of the following are types of malware? (Choose two.)

Select 2 answers
A.Phishing
B.Ransomware
C.DDoS
D.Trojan
E.Adware
AnswersB, D

Ransomware is malware that encrypts data.

Why this answer

Options A and C are correct because Trojan horses and ransomware are both forms of malware. Option B is wrong because phishing is a social engineering attack, not malware. Option D is wrong because a DDoS is an attack, not malware.

Option E is wrong because adware is often considered potentially unwanted but not always classified as malware.

4
MCQmedium

You are the IT administrator for a small accounting firm with 25 employees. The firm uses a Windows Server 2019 domain controller, a file server, and an email server running Microsoft Exchange. Each employee has a company-issued laptop running Windows 10. The firm recently experienced a ransomware attack that encrypted all files on the file server. The attacker demanded a ransom in Bitcoin. The firm restored the files from a backup that was taken the previous night. However, the CEO is concerned about future attacks and wants to implement additional security measures. The firm has a limited budget and cannot afford a full security suite. Which of the following is the BEST course of action to reduce the risk of another ransomware infection?

A.Ensure all systems are patched monthly.
B.Implement application whitelisting on all workstations.
C.Deploy an email spam filter to block phishing emails.
D.Conduct annual security awareness training for all employees.
AnswerB

Application whitelisting allows only approved programs to run, blocking ransomware executables even if they are downloaded.

Why this answer

Application whitelisting prevents any unauthorized executable, script, or installer from running, which would block ransomware even if it reaches the system via email or web download. This is the most effective single control on a limited budget because it stops unknown malware at the execution point, regardless of patch status or user behavior.

Exam trap

The trap here is that candidates often choose email spam filtering (Option C) because they associate ransomware with phishing, but they overlook that application whitelisting provides a deterministic, policy-based defense that blocks execution regardless of the delivery vector.

How to eliminate wrong answers

Option A is wrong because monthly patching addresses known vulnerabilities but does not prevent ransomware delivered via phishing or social engineering, which exploits user trust rather than unpatched code. Option C is wrong because an email spam filter reduces the volume of phishing emails but cannot block all malicious attachments or links, and ransomware can also arrive via web downloads, USB drives, or remote desktop attacks. Option D is wrong because annual security awareness training is too infrequent to change ingrained user habits, and even well-trained users can be tricked by sophisticated phishing or zero-day exploits; training alone does not provide a technical execution barrier.

5
MCQhard

You are the IT security administrator for a mid-sized law firm that handles sensitive client data. The firm has a mix of Windows 10 workstations, a Windows Server 2019 domain controller, and a network printer. All users have standard user accounts. The senior partner recently received a phishing email that appeared to be from a known client, requesting that he click a link to review a document. He clicked the link and entered his domain credentials on a fake login page. Shortly after, the firm's file server began encrypting files and displaying a ransom note. The incident response team isolated the infected server and restored files from backup. However, the senior partner now reports that he cannot access the file server from his workstation. He receives an 'Access Denied' message. You check his account in Active Directory and find that his account is not locked out and the password is correct. The file server is back online and accessible by other users. You verify that the senior partner's workstation has network connectivity and can ping the file server. Which of the following is the MOST likely cause of the access issue?

A.The senior partner's password was changed during incident response, and his workstation has cached old credentials
B.The senior partner's account was disabled by the automatic containment script
C.The ransomware modified the file server's permissions to deny access to the senior partner's account
D.The senior partner's workstation IP address was blacklisted on the file server
AnswerA

After credential compromise, passwords are often reset. The workstation may be using cached old credentials, causing authentication failure despite network connectivity.

Why this answer

The senior partner's password was likely changed during the incident response process to prevent further unauthorized access using his compromised credentials. When a password is changed in Active Directory, the user's workstation still caches the old credentials (NTLM hash) until the user logs off and back on. Since the partner has not logged off, his workstation continues to present the old, invalid credentials to the file server, resulting in an 'Access Denied' error despite the account being active and the password being correct.

Exam trap

The trap here is that candidates may assume ransomware or containment scripts directly caused the access issue, overlooking the subtle credential caching behavior that persists after a password change without a logoff/logon cycle.

How to eliminate wrong answers

Option B is wrong because the senior partner's account is not locked out and is active in Active Directory, and the scenario states his account was not disabled by any automatic containment script. Option C is wrong because the file server was isolated and restored from backup, which would revert any permission changes made by ransomware; moreover, other users can access the server, indicating permissions are intact. Option D is wrong because IP address blacklisting would prevent network connectivity (ping) entirely, but the partner can ping the file server, ruling out IP-level blocking.

6
Drag & Dropmedium

Drag and drop the steps to shut down a Windows 10 computer properly into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Proper shutdown prevents data loss and ensures the system powers off safely.

7
MCQeasy

A company wants to prevent unauthorized physical access to its server room. Which control is best?

A.Firewall
B.Antivirus
C.Biometric lock
D.Encryption
AnswerC

Biometrics verify identity based on physical characteristics, restricting entry to authorized personnel.

Why this answer

A biometric lock is the best control for preventing unauthorized physical access to a server room because it authenticates individuals based on unique physiological traits (e.g., fingerprint, iris scan), directly securing the physical entry point. Unlike logical or data-level controls, it addresses the physical security domain by restricting who can enter the room, not what data they can access.

Exam trap

The trap here is that candidates confuse logical security controls (firewall, antivirus, encryption) with physical security controls, incorrectly assuming any security technology can prevent physical access, when only a physical access control mechanism like a biometric lock directly addresses the scenario.

How to eliminate wrong answers

Option A is wrong because a firewall is a network security device that filters traffic based on rules (e.g., ACLs, stateful inspection), and it does not prevent physical entry to a room. Option B is wrong because antivirus software detects and removes malware on endpoints, but it has no mechanism to control physical access to a location. Option D is wrong because encryption protects data at rest or in transit by converting it into ciphertext (e.g., AES-256), but it does not prevent someone from physically walking into a server room.

8
Multi-Selecteasy

Which TWO of the following are best practices for creating and managing passwords?

Select 2 answers
A.Share passwords with colleagues in the same department to improve collaboration
B.Reuse passwords every 90 days
C.Enable multi-factor authentication where available
D.Use a unique password for each online account
E.Write down passwords on a sticky note and keep it near the computer
AnswersC, D

MFA provides an additional security layer.

Why this answer

Options B and D are correct. Using a unique password for each account prevents a single breach from compromising multiple accounts. Enabling multi-factor authentication adds an extra layer of security beyond the password.

Option A is wrong because writing down passwords increases risk of theft. Option C wrong because password history enforcement (requiring new passwords to be unique) is good, but reusing a password after a few cycles is still reuse; the statement as phrased is not a best practice—actually, option C says 'Reuse passwords every 90 days' which is poor. Option E wrong because sharing passwords in a team undermines accountability and security.

9
MCQeasy

A security guard notices an individual following closely behind an employee through a secured door without swiping a badge. This scenario is an example of which type of security threat?

A.Shoulder surfing
B.Phishing
C.Tailgating
D.Malware
AnswerC

Tailgating is unauthorized physical access by following someone.

Why this answer

Option B is correct because tailgating occurs when an unauthorized person follows an authorized person into a restricted area. Option A is wrong because phishing is a deceptive message. Option C is wrong because shoulder surfing is looking at a screen.

Option D is wrong because malware is malicious software.

10
Multi-Selectmedium

Which TWO of the following are examples of social engineering attacks?

Select 2 answers
A.DDoS
B.Shoulder surfing
C.Brute force
D.Man-in-the-middle
E.Phishing
AnswersB, E

Shoulder surfing involves observing a user's screen or keyboard to capture information.

Why this answer

Phishing and shoulder surfing rely on human interaction to obtain sensitive information, whereas DDoS, brute force, and man-in-the-middle are technical attacks.

11
MCQhard

Which type of malware replicates itself across a network without user interaction?

A.Virus
B.Ransomware
C.Worm
D.Trojan
AnswerC

Worms self-propagate across networks without human intervention.

Why this answer

A worm is a standalone malware program that replicates itself across a network by exploiting vulnerabilities or using network protocols (e.g., SMB, HTTP) without requiring any user action, such as opening a file or executing a payload. Unlike a virus, which attaches to a host file and needs user interaction to spread, a worm self-propagates automatically, making it the correct answer for malware that spreads without user interaction.

Exam trap

The trap here is that candidates confuse a worm with a virus, assuming both require user interaction, but the key distinction is that a worm self-replicates over a network autonomously, while a virus requires a host file and user action to spread.

How to eliminate wrong answers

Option A is wrong because a virus requires user interaction (e.g., opening an infected file or running a malicious macro) to attach to a host program and replicate; it does not autonomously spread across a network. Option B is wrong because ransomware is a type of malware that encrypts files or locks a system for ransom, but its primary mechanism is extortion, not self-replication across a network without user interaction. Option D is wrong because a Trojan disguises itself as legitimate software to trick users into installing it, relying on social engineering and user action, and it does not replicate itself at all.

12
MCQhard

Refer to the exhibit. A security analyst reviews the NTFS permissions on the C:\Shared folder. Which user or group has the ability to delete files created by other users?

A.Users
B.No user or group
C.Admin
D.Everyone
AnswerA

Users have Modify (M) permissions, which include the ability to delete files and subfolders, even those created by other users.

Why this answer

The 'Users' group in Windows NTFS has the 'Modify' permission on the C:\Shared folder by default, which includes the 'Delete Subfolders and Files' advanced permission. This allows members of the Users group to delete files created by other users, even if they are not the owner of those files. The 'Delete' permission alone only allows deletion of one's own files, but 'Delete Subfolders and Files' overrides that restriction for the container.

Exam trap

Cisco often tests the distinction between the standard 'Delete' permission and the advanced 'Delete Subfolders and Files' permission, trapping candidates who assume that only the file owner or an administrator can delete files created by others.

How to eliminate wrong answers

Option B is wrong because the 'Users' group explicitly has the ability to delete files created by other users via the 'Delete Subfolders and Files' permission, so there is a user/group with that capability. Option C is wrong because the 'Admin' group (typically Administrators) has full control, but the question asks which user or group has the ability to delete files created by other users, and 'Users' is the correct answer, not 'Admin' (though Admin also has that ability, it is not the best answer as 'Users' is the group specifically granted that permission in the exhibit). Option D is wrong because 'Everyone' includes all users, including anonymous and guest accounts, and while it may have read or execute permissions, it does not inherently have the 'Delete Subfolders and Files' permission on the C:\Shared folder; the exhibit shows that 'Users' is the group with that specific permission.

13
MCQmedium

Which security threat is indicated in the exhibit?

A.DDoS
B.Phishing
C.Malware infection
D.Brute force attack
AnswerD

The log shows failed login attempts, characteristic of a brute force attack.

Why this answer

The exhibit shows repeated failed login attempts from a single IP address, which is characteristic of a brute force attack. This attack systematically tries many username/password combinations to gain unauthorized access, often targeting services like SSH, RDP, or web login portals.

Exam trap

The trap here is that candidates may confuse repeated failed logins with a malware infection or DDoS, but the key indicator is the systematic, single-source attempt pattern targeting authentication, not traffic volume or malicious code.

How to eliminate wrong answers

Option A is wrong because a DDoS (Distributed Denial of Service) attack floods a target with traffic from multiple sources to overwhelm resources, not repeated login attempts. Option B is wrong because phishing involves deceptive messages (e.g., emails) tricking users into revealing credentials, not automated login trials. Option C is wrong because a malware infection requires malicious software execution, whereas brute force is a direct authentication attack without code execution.

14
MCQeasy

Which of the following is an example of a strong password?

A.123456
B.Cr@zy8#s
C.abc123
D.password
AnswerB

This password uses uppercase, lowercase, numbers, and symbols, making it strong.

Why this answer

Option B (Cr@zy8#s) is correct because it meets all strong password criteria: it is at least 8 characters long, includes uppercase and lowercase letters, a digit, and special characters (@ and #). This complexity makes it resistant to brute-force attacks and dictionary attacks, as it increases the entropy and does not contain common words or sequential patterns.

Exam trap

The trap here is that candidates often choose passwords like 'abc123' or '123456' because they seem easy to remember, but the exam tests the understanding that a strong password must include a mix of character types and avoid common patterns or dictionary words.

How to eliminate wrong answers

Option A is wrong because '123456' is a sequential numeric string that is one of the most commonly used passwords, making it trivial to guess or crack with a simple brute-force attack. Option C is wrong because 'abc123' combines a common alphabetical sequence with a numeric sequence, lacks special characters and uppercase letters, and is frequently found in password dictionaries. Option D is wrong because 'password' is a single common English word that is the most classic example of a weak password, easily guessed by dictionary attacks and appearing in every password cracking list.

15
MCQeasy

Which principle ensures that data is not modified by unauthorized users?

A.Authentication
B.Confidentiality
C.Availability
D.Integrity
AnswerD

Integrity ensures data is not altered by unauthorized means.

Why this answer

Integrity ensures that data has not been altered or tampered with by unauthorized users. This is typically enforced through mechanisms like hashing (e.g., SHA-256) or digital signatures, which detect any modification to the original data. Without integrity controls, an attacker could change financial records or system files without detection.

Exam trap

CompTIA often tests the distinction between confidentiality and integrity, where candidates mistakenly choose confidentiality because they associate 'protection' with encryption, but encryption only prevents reading, not modification.

How to eliminate wrong answers

Option A is wrong because authentication verifies the identity of a user or system (e.g., via passwords or certificates), but does not prevent data modification after access is granted. Option B is wrong because confidentiality protects data from unauthorized disclosure (e.g., via encryption), not from unauthorized modification. Option C is wrong because availability ensures that data and systems are accessible when needed (e.g., through redundancy or load balancing), but does not address data tampering.

16
MCQhard

A small real estate office with 12 employees has been using the same network setup for five years. Employees use both company-issued laptops and personal smartphones to access email and client listings. Last week, an employee clicked a link in a phishing email, which led to a ransomware infection on the company file server. The server was encrypted, and the attackers demanded a ransom. The office had no backups; all client data and contracts were lost. The office manager wants to prevent such incidents in the future. Which of the following should be the FIRST security measure implemented, considering the root cause of the breach?

A.Install antivirus software on all company laptops and personal devices
B.Deploy a next-generation firewall with intrusion prevention
C.Enable full-disk encryption on all company laptops
D.Mandate security awareness training for all employees, focusing on phishing identification
AnswerD

Training addresses the root cause by empowering users to avoid phishing attacks.

Why this answer

The root cause was a phishing email that tricked an employee. While technical controls like antivirus (A), firewalls (C), and encryption (D) are valuable, they do not address the human factor. Security awareness training (B) educates users to recognize phishing attempts, reducing the likelihood of similar incidents.

Without training, other controls can be bypassed. Option B is the most direct and effective first step.

17
MCQeasy

Which security principle is being applied?

A.Least privilege
B.Need to know
C.Separation of duties
D.Defense in depth
AnswerA

Least privilege grants only the minimal necessary access; this rule restricts SSH to only the required subnet.

Why this answer

The principle of least privilege ensures that users or systems are granted only the minimum permissions necessary to perform their tasks. In this scenario, applying least privilege would restrict access rights to only what is required, reducing the attack surface and limiting potential damage from compromised accounts or insider threats.

Exam trap

CompTIA often tests least privilege by presenting a scenario where a user has more access than needed, and candidates confuse it with 'need to know'—the trap is that need to know applies to data access based on job necessity, while least privilege applies to all permissions (including system functions and files).

How to eliminate wrong answers

Option B (Need to know) is wrong because it focuses on restricting access to information based on whether it is necessary for a specific job function, rather than limiting overall permissions; it is a subset of least privilege but not the primary principle here. Option C (Separation of duties) is wrong because it divides critical tasks among multiple individuals to prevent fraud or error, not to minimize individual permissions. Option D (Defense in depth) is wrong because it involves layering multiple security controls (e.g., firewalls, antivirus, encryption) to protect assets, not specifically limiting user rights.

18
MCQhard

Based on the exhibit, which type of attack is most likely occurring?

A.Denial-of-service attack
B.Phishing attack
C.Brute force attack
D.Man-in-the-middle attack
AnswerC

Repeated failed logon attempts from a remote IP suggest a brute force attack.

Why this answer

The exhibit shows repeated login attempts with different passwords (e.g., 'password1', 'password2', 'password3') against a single user account. This pattern of systematically trying many passwords to guess credentials is the hallmark of a brute force attack. Unlike a denial-of-service or phishing attack, the goal here is to gain unauthorized access by exhausting possible password combinations.

Exam trap

CompTIA often tests the distinction between a brute force attack and a dictionary attack; the trap here is that candidates may confuse the systematic password guessing shown in the exhibit with a phishing or man-in-the-middle attack because they see repeated login attempts but fail to recognize the direct, automated guessing pattern.

How to eliminate wrong answers

Option A is wrong because a denial-of-service attack aims to overwhelm a system with traffic to disrupt service, not to guess passwords through repeated login attempts. Option B is wrong because phishing involves tricking users into revealing credentials via deceptive messages or websites, not by directly submitting password guesses to a login form. Option D is wrong because a man-in-the-middle attack intercepts and potentially alters communications between two parties, whereas the exhibit shows direct, repeated authentication attempts against a single endpoint.

19
MCQhard

An employee receives a phone call from someone claiming to be from the IT department. The caller states there is a security issue and requests the employee's login credentials to 'fix the problem'. What should the employee do?

A.Give a temporary password to see if the issue resolves.
B.Provide the credentials because the caller sounds knowledgeable.
C.Hang up and call the IT department using the official number.
D.Ask for a call-back number and verify the caller's identity later.
AnswerC

Verifying through official channels prevents credential theft.

Why this answer

Option A is correct because hanging up and calling the official number ensures the request is legitimate. Option B is wrong because providing any information is risky. Option C is wrong because calling back a number provided by the caller could go to the attacker.

Option D is wrong because even a temporary password could be exploited.

20
MCQeasy

A user wants to ensure data confidentiality. Which action is most appropriate?

A.Encrypt files
B.Change password
C.Share with everyone
D.Delete files
AnswerA

Encryption transforms data into an unreadable format without a key, ensuring confidentiality.

Why this answer

Encrypting files using algorithms like AES-256 ensures that even if unauthorized users gain access to the data, they cannot read it without the decryption key. This directly addresses the goal of data confidentiality by transforming plaintext into ciphertext that is unreadable without the proper key.

Exam trap

The trap here is that candidates often confuse authentication (changing a password) with confidentiality (encryption), assuming that restricting access alone is sufficient to keep data secret, but encryption is the only mechanism that protects data at rest from unauthorized viewing.

How to eliminate wrong answers

Option B is wrong because changing a password controls access but does not protect the confidentiality of data already stored; an attacker who bypasses authentication can still read unencrypted files. Option C is wrong because sharing with everyone explicitly violates confidentiality by granting unauthorized access to the data. Option D is wrong because deleting files removes the data but does not protect confidentiality during its lifecycle; deleted files can often be recovered from disk using forensic tools, and deletion does not prevent exposure before deletion.

21
MCQmedium

A company requires all employees to use strong passwords. Which of the following password policies best aligns with security best practices?

A.Passwords must be changed every 30 days but can be simple.
B.Passwords must be at least 8 characters and include uppercase, lowercase, numbers, and symbols.
C.Passwords must be the same across all corporate accounts for consistency.
D.Passwords must be a minimum of 6 characters and contain only letters.
AnswerB

Complexity and length make passwords more secure.

Why this answer

Option B is correct because it enforces complexity requirements (uppercase, lowercase, numbers, symbols) and a minimum length of 8 characters, which aligns with NIST SP 800-63B guidelines and modern security best practices. Complex passwords resist brute-force and dictionary attacks by increasing the keyspace exponentially. Simple passwords, even if changed frequently, remain vulnerable to guessing and credential stuffing.

Exam trap

The trap here is that candidates often think frequent password changes (Option A) are more secure than complexity, but the FC0-U61 exam emphasizes that strong, complex passwords are more effective against attacks than short, simple passwords changed often.

How to eliminate wrong answers

Option A is wrong because requiring a password change every 30 days with no complexity allows users to choose weak, easily guessable passwords (e.g., 'Password1'), which are vulnerable to brute-force and dictionary attacks; NIST SP 800-63B advises against arbitrary periodic changes without complexity. Option C is wrong because reusing the same password across all corporate accounts creates a single point of failure—if one account is compromised (e.g., via phishing or a data breach), all accounts become accessible; this violates the principle of least privilege and credential isolation. Option D is wrong because a minimum of 6 characters with only letters provides a very small keyspace (26^6 ≈ 308 million combinations), which can be cracked in minutes with modern GPU-based tools like Hashcat; it lacks the entropy from mixed character types.

22
Multi-Selecteasy

Which TWO of the following are examples of social engineering attacks?

Select 2 answers
A.Adware
B.Spoofing
C.Tailgating
D.Phishing
E.Shoulder surfing
AnswersC, D

Tailgating is a social engineering attack where an unauthorized person follows an authorized individual into a restricted area.

Why this answer

Tailgating (option C) is a social engineering attack where an unauthorized person physically follows an authorized individual into a restricted area, bypassing access controls such as card readers or biometric scanners. This exploits human courtesy or inattention rather than technical vulnerabilities, making it a classic social engineering technique.

Exam trap

The trap here is that candidates often confuse shoulder surfing (a direct observation method) with social engineering, but CompTIA categorizes shoulder surfing as a physical security threat, not a social engineering attack, because it does not involve psychological manipulation or deception of the victim.

23
MCQmedium

A small business wants to secure its wireless network. Which configuration provides the strongest encryption?

A.WPA
B.WEP
C.WPA2
D.WPA3
AnswerD

WPA3 offers stronger encryption and improved security features over older standards.

Why this answer

WPA3 (Wi-Fi Protected Access 3) is the latest wireless security standard, introduced in 2018, which provides the strongest encryption through mandatory use of 192-bit AES encryption in WPA3-Enterprise and 128-bit AES in WPA3-Personal, along with Simultaneous Authentication of Equals (SAE) to replace the vulnerable Pre-Shared Key (PSK) exchange used in WPA2. This makes it resistant to offline dictionary attacks and provides forward secrecy, ensuring that even if a password is compromised, past sessions remain secure.

Exam trap

The trap here is that candidates often confuse 'strongest' with 'most common' and select WPA2 because it is widely deployed, forgetting that WPA3 is the current gold standard and explicitly tested as the most secure option in the CompTIA FC0-U61 objectives.

How to eliminate wrong answers

Option A is wrong because WPA (Wi-Fi Protected Access) uses TKIP (Temporal Key Integrity Protocol) with RC4 encryption, which is vulnerable to attacks like Beck-Tews and has been deprecated since 2009. Option B is wrong because WEP (Wired Equivalent Privacy) uses static RC4 keys with a 24-bit initialization vector, making it trivially crackable within minutes using tools like aircrack-ng. Option C is wrong because WPA2, while using AES-CCMP and being significantly stronger than WPA or WEP, is still susceptible to KRACK (Key Reinstallation Attack) and offline dictionary attacks against the 4-way handshake, which WPA3 explicitly addresses.

24
MCQeasy

A help desk technician receives an alert from the security monitoring system showing multiple events like the one in the exhibit. The technician is investigating a possible brute-force attack. Based on the exhibit, which of the following is the primary attack vector being used?

A.VPN brute-force attack
B.RDP brute-force attack
C.SSH brute-force attack
D.Web application attack
AnswerB

Logon Type 10 indicates a remote interactive logon, commonly used by RDP.

Why this answer

The exhibit shows repeated failed authentication attempts targeting TCP port 3389, which is the default port for Remote Desktop Protocol (RDP). A brute-force attack on RDP involves systematically trying many username/password combinations to gain unauthorized remote access to a Windows system. This matches the definition of an RDP brute-force attack.

Exam trap

CompTIA often tests the association of default port numbers with specific protocols, so the trap here is confusing RDP (port 3389) with SSH (port 22) or VPN (various ports), leading candidates to pick a plausible but incorrect attack vector.

How to eliminate wrong answers

Option A is wrong because VPN brute-force attacks target VPN protocols like IPsec or SSL/TLS on ports such as UDP 500 or TCP 443, not TCP 3389. Option C is wrong because SSH brute-force attacks target TCP port 22, not port 3389. Option D is wrong because web application attacks target HTTP/HTTPS ports (80/443) and exploit application-layer vulnerabilities like SQL injection or XSS, not repeated authentication attempts on a remote access protocol.

25
Multi-Selecteasy

Which TWO of the following are types of malware?

Select 2 answers
A.Patch
B.Encryption
C.Virus
D.Worm
E.Firewall
AnswersC, D

A virus is a type of malware that replicates by attaching to programs.

Why this answer

A virus is a type of malware that attaches itself to a legitimate program or file and replicates when the host is executed, often causing damage or stealing data. It requires user interaction (e.g., opening an infected attachment) to spread, distinguishing it from other malware types.

Exam trap

The trap here is that candidates confuse security tools (patches, encryption, firewalls) with malware types, or mistakenly think encryption itself is malicious, whereas encryption is a neutral technique used by both security software and some malware (e.g., ransomware) to lock data.

26
MCQmedium

An employee receives an email from 'IT Support' asking for his password due to 'system maintenance'. This is an example of:

A.Baiting
B.Phishing
C.Tailgating
D.Pretexting
AnswerB

The email impersonates IT support and requests sensitive information, typical of phishing.

Why this answer

Phishing is a social engineering attack where an attacker masquerades as a trusted entity (here, 'IT Support') to trick the victim into revealing sensitive information, such as a password. The email requesting credentials under the pretext of 'system maintenance' is a classic phishing technique, often executed via email (spear phishing if targeted). This directly matches the definition of phishing as an attempt to acquire sensitive data through deceptive electronic communication.

Exam trap

The trap here is that candidates confuse pretexting with phishing because both involve a fabricated story, but the exam specifically tests that phishing is the correct term when the attack is carried out via email, instant message, or other electronic communication, whereas pretexting is broader and often involves direct voice or in-person interaction.

How to eliminate wrong answers

Option A is wrong because baiting involves offering something enticing (e.g., a free USB drive or download) to lure the victim into executing malware or revealing information, not sending a deceptive email requesting credentials. Option C is wrong because tailgating is a physical security breach where an unauthorized person follows an authorized individual into a restricted area, not an email-based attack. Option D is wrong because pretexting is a social engineering tactic where the attacker fabricates a scenario (pretext) to obtain information, but it typically involves impersonation over the phone or in person, not specifically via email; while the email does create a pretext, the question explicitly describes an email request for a password, which is the hallmark of phishing, not pretexting alone.

27
MCQhard

After a ransomware attack, which step should be taken FIRST in the incident response process?

A.Notify law enforcement
B.Disconnect affected systems from network
C.Restore from backup
D.Pay the ransom
AnswerB

Disconnecting stops the spread and limits damage, a crucial first step.

Why this answer

The first step in incident response after a ransomware attack is to contain the threat by disconnecting affected systems from the network. This prevents the ransomware from encrypting additional files on other systems and stops lateral movement, which is critical because ransomware often uses network shares and SMB protocols to spread. Immediate isolation preserves forensic evidence and limits the scope of the incident before any other actions are taken.

Exam trap

CompTIA often tests the misconception that the first step should be to restore from backups or notify authorities, but the correct first step is always containment to stop the spread of the attack.

How to eliminate wrong answers

Option A is wrong because notifying law enforcement is a secondary step that should occur after containment and initial investigation; contacting authorities prematurely can delay critical containment actions and may not be required for all incidents. Option C is wrong because restoring from backup should only be performed after the ransomware has been fully removed and the root cause identified; restoring while the infection is active can re-encrypt the restored data. Option D is wrong because paying the ransom does not guarantee data recovery, encourages further attacks, and violates many organizational security policies and legal guidelines; it is never a recommended technical step in incident response.

28
MCQmedium

A user reports that their computer is running slowly and the network activity light is constantly on. The technician runs the command shown in the exhibit. Based on the output, what is the most likely cause?

A.The computer is experiencing a denial-of-service (DoS) attack
B.The computer is infected with malware communicating with a command-and-control server
C.The user is running excessive web browsing sessions
D.The firewall is misconfigured and blocking legitimate traffic
AnswerB

Multiple connections to the same remote server are a sign of botnet or C2 activity.

Why this answer

The exhibit shows multiple established connections from the local computer to the same remote IP on port 443 (HTTPS). This pattern suggests a botnet or malware establishing multiple command-and-control channels. Option B is correct because it indicates a malware infection.

Option A is wrong because a DoS attack would typically show many connections from different sources. Option C wrong because a firewall misconfiguration would block or allow traffic, not create multiple connections. Option D wrong because excessive web browsing would show connections to various IPs, not just one.

29
MCQmedium

You are the IT administrator for a small company with 50 employees. The company uses a shared network drive for project files. Employees have read/write access to all folders on the drive. Recently, a ransomware attack encrypted many files on the network drive after an employee's workstation became infected. The employee had mapped the drive as a local letter. Backups are available but restoring takes several hours. Management wants to reduce the risk of future ransomware damage to the network drive. You are considering implementing one of the following controls. Which control would be most effective in limiting the spread of ransomware to the network drive?

A.Enable disk encryption on the network drive.
B.Implement file-level permissions so users only have write access to folders they need.
C.Install antivirus software on all workstations and schedule weekly scans.
D.Require all employees to use a VPN when accessing the network drive.
AnswerB

Least privilege reduces the scope of encryption if a workstation is infected.

Why this answer

Option A is correct because implementing file-level permissions with least privilege limits the number of files a ransomware infection can encrypt. Option B is wrong because VPN is for remote access, not internal protection. Option C is wrong because antivirus may not prevent malware from running.

Option D is wrong because disk encryption protects data at rest but does not prevent ransomware from encrypting files.

30
Multi-Selecthard

Which THREE of the following are best practices for creating secure passwords?

Select 3 answers
A.Use the same password for all accounts for memorability
B.Change password every 90 days
C.Use at least 8 characters
D.Use personal information like birthdate
E.Include a mix of uppercase, lowercase, numbers, symbols
AnswersB, C, E

Regular changes limit the window of exposure if stolen.

Why this answer

Option B is correct because regular password changes (e.g., every 90 days) limit the window of exposure if a password is compromised. This practice aligns with NIST SP 800-63B guidelines, which recommend periodic rotation to mitigate risks from credential theft or brute-force attacks.

Exam trap

CompTIA often tests the misconception that password reuse is acceptable for memorability, but security best practices require unique passwords per account to prevent credential stuffing attacks.

31
MCQeasy

An employee receives an email from an unknown sender that includes an attachment labeled 'Invoice.pdf'. The employee does not recall ordering anything. What is the most secure action for the employee to take?

A.Open the attachment to check if it is a legitimate invoice.
B.Reply to the sender requesting more information.
C.Forward the email to the IT security team and then delete it.
D.Delete the email without opening any attachments.
AnswerC

Reporting suspicious emails to IT helps protect the organization.

Why this answer

Option C is correct because forwarding suspicious emails to the IT security team helps protect the organization. Option A is wrong because opening unknown attachments can install malware. Option B is wrong because replying may confirm the email address to attackers.

Option D is wrong because deleting without reporting does not alert others to a potential threat.

32
MCQmedium

A small business owner wants to protect sensitive customer data stored on a laptop that is frequently used on public Wi-Fi networks. The owner is considering implementing a security control that ensures data remains confidential even if the laptop is stolen. Which of the following is the BEST control for this scenario?

A.Use a VPN when connected to public Wi-Fi
B.Install antivirus software
C.Implement full-disk encryption
D.Require a strong password for user login
AnswerC

Full-disk encryption protects data at rest by encrypting the entire drive, so data is unreadable without the decryption key.

Why this answer

Full-disk encryption (FDE) protects data at rest by encrypting the entire storage volume, typically using AES-128 or AES-256. Even if the laptop is stolen, the encrypted data remains unreadable without the decryption key, ensuring confidentiality. This directly addresses the requirement for data protection after physical theft.

Exam trap

The trap here is that candidates confuse encryption of data in transit (VPN) with encryption of data at rest (FDE), or assume that a strong password alone is sufficient to protect data after physical theft.

How to eliminate wrong answers

Option A is wrong because a VPN encrypts data in transit over public Wi-Fi, but does not protect data stored on the laptop if it is stolen. Option B is wrong because antivirus software detects and removes malware but does not encrypt data or prevent access to stored files after theft. Option D is wrong because a strong password protects the login screen but can be bypassed by booting from a live USB or removing the hard drive, leaving the data accessible.

33
MCQhard

A medium-sized business has a policy that requires all employees to use two-factor authentication (2FA) when accessing the corporate email system. The authentication method uses a time-based one-time password (TOTP) app on employees' smartphones. Several employees have reported that they cannot log in because they recently changed phones and did not transfer the TOTP seed. The help desk has been resetting 2FA for these users, but management is concerned about the security of the reset process. Which of the following procedures should the help desk follow to securely reset 2FA for a user?

A.Disable 2FA for the user and allow password-only access.
B.Verify the user's identity through a separate out-of-band channel, then reset.
C.Reset the 2FA immediately upon user request via email.
D.Require the user to visit the IT department in person with a photo ID.
AnswerB

Out-of-band verification prevents unauthorized resets.

Why this answer

Option C is correct because verifying the user's identity through a separate out-of-band channel (e.g., phone call to known number) ensures the requester is legitimate. Option A is wrong because email can be spoofed. Option B is wrong because disabling 2FA reduces security.

Option D is wrong because while in-person verification is secure, it is not always practical; out-of-band is a better balance.

34
MCQhard

Which security best practice is being demonstrated?

A.Using a public DNS server
B.Using a static IP address
C.Using a private DNS server
D.Using a dynamic IP address
AnswerC

A private DNS server provides internal resolution and can enforce security policies.

Why this answer

Using a private DNS server enhances security by allowing an organization to control DNS resolution internally, preventing external interception or manipulation of DNS queries. This practice helps protect against DNS spoofing and ensures that internal resources are resolved using trusted, local records rather than relying on potentially compromised public DNS servers.

Exam trap

The trap here is that candidates often confuse 'private DNS server' with 'static IP address' or 'dynamic IP address,' mistakenly thinking that IP address assignment methods are security controls, when in fact DNS server choice directly impacts query confidentiality and integrity.

How to eliminate wrong answers

Option A is wrong because using a public DNS server (e.g., Google's 8.8.8.8) exposes DNS queries to external networks, increasing the risk of eavesdropping, cache poisoning, or redirection to malicious sites. Option B is wrong because using a static IP address is a network configuration choice, not a security best practice; it can actually reduce security by making a device's address predictable and easier to target. Option D is wrong because using a dynamic IP address (via DHCP) is primarily for address management and does not inherently provide a security benefit; it may slightly obscure a device's identity but is not a recognized security best practice.

35
Multi-Selecthard

A security analyst is reviewing user permissions and discovers that several users have been granted more privileges than necessary to perform their job functions. The analyst wants to apply the principle of least privilege. Which TWO actions should the analyst take? (Choose TWO.)

Select 2 answers
A.Grant full administrative access to a single IT administrator
B.Audit current permissions to identify unnecessary privileges
C.Create role-based access control (RBAC) groups that match job functions
D.Allow users to request temporary elevation of privileges for specific tasks
E.Remove all permissions from users and add them back only when requested
AnswersB, C

Auditing helps identify where excessive privileges exist, which is a necessary first step.

Why this answer

Auditing current permissions (Option B) is the first step in applying least privilege because it identifies exactly which users have excessive rights. Creating RBAC groups (Option C) then allows the analyst to assign permissions based on job functions, ensuring users only have the access necessary to perform their roles. Together, these actions systematically reduce privilege levels without disrupting operations.

Exam trap

The trap here is that candidates often confuse the principle of least privilege with just-in-time access (Option D) or think that removing all permissions (Option E) is a valid starting point, when in fact the correct approach is to first audit and then restructure permissions using RBAC.

36
Multi-Selectmedium

Which three of the following are recommended practices for securing a home wireless network? (Choose three.)

Select 3 answers
A.Disable SSID broadcast
B.Update router firmware regularly
C.Use WPA2 encryption
D.Enable MAC address filtering
E.Use the default router password
AnswersA, B, C

Hides the network from casual scans.

Why this answer

Disabling SSID broadcast makes the network name invisible in client scans, reducing casual discovery. However, it is a weak security measure because attackers can still detect the SSID using packet sniffing tools like Wireshark or airodump-ng when a client connects. It should be used as a minor deterrent, not a primary security control.

Exam trap

The trap here is that candidates often think MAC address filtering is a strong security measure, but CompTIA tests the understanding that it is easily bypassed and not a recommended practice for securing a home wireless network.

Ready to test yourself?

Try a timed practice session using only Security questions.