Security+ 701 Exam Style Questions

A hospital database containing patient records is accessed by an unauthorized employee who reads files they are not permitted to view. Which pillar of the CIA triad has been violated?

Confidentiality — unauthorized individuals gained access to sensitive information.

An attacker intercepts financial reports being sent between two branch offices and changes the dollar amounts before forwarding them. Which CIA principle is violated?

Integrity — unauthorized modification of data in transit occurred.

A ransomware attack encrypts all files on a company's servers, preventing employees from accessing them. Which CIA principle is primarily violated?

Availability — legitimate users are denied access to information and systems.

An employee sends a wire transfer and later claims they never authorized it. What security property would prove they did send it?

Non-repudiation — prevents someone from denying an action they performed.

A company is reviewing its security controls and wants to stop attacks before they happen. Which control type should they prioritize?

Preventive controls — designed to stop a security issue before it occurs.

A security team places fake admin credentials in a document on a shared drive to detect unauthorized access. What type of control is this?

Detective control / Honeytoken — identifies security events that have already occurred.

After a data breach, a company implements a new patch management process. What type of control is this?

Corrective control — remediates security issues that have already occurred.

A company posts "Surveillance cameras in use" signs around the building even though cameras are not fully operational. What control type is this?

Deterrent control — seeks to discourage attackers from attempting to violate security policies.

A security policy requires employees to complete annual cybersecurity training. What type of control is this?

Directive control — informs employees what they should do to achieve security objectives.

A firewall is deployed to restrict unauthorized network traffic. What type AND category of control is this?

Preventive + Technical control — enforces CIA in the digital space and stops issues before they occur.

A manager approves which files an employee can access. What access control model is in use?

Discretionary Access Control (DAC) — resource owners decide permissions.

An organization assigns permissions based on job titles such as "Analyst" or "Manager." What access control model is this?

Role Based Access Control (RBAC) — privileges are assigned to roles, not individuals.

A government system labels files as Top Secret, Secret, or Unclassified and restricts access based on clearance level. What access control model is this?

Mandatory Access Control (MAC) — the OS enforces access based on security policy.

A cloud platform grants a user temporary admin access only when they open a support ticket and revokes it when the ticket closes. What concept is this?

Just-in-Time (JIT) Permissions — access granted and revoked only when needed.

A security analyst reviews controls against stated objectives and finds several gaps. What process are they performing?

Gap Analysis — reviewing control objectives and examining controls designed to achieve them.

A user receives an email appearing to be from their bank asking them to verify their account. No specific name is used. What type of attack is this?

Phishing — broad fraudulent acquisition of information via email.

An attacker calls an employee pretending to be IT support and asks for their password. What type of attack is this?

Vishing — phishing accomplished via voice.

A user receives a text message saying their package is delayed and to click a link to reschedule. What attack is this?

Smishing — phishing via text/SMS messages.

An attacker sets up a fake version of a popular industry news website that employees frequently visit, loading it with malware. What attack is this?

Watering Hole Attack — uses websites the target frequently visits.

An attacker registers the domain "microsofft.com" to trick users. What technique is this?

Typosquatting — using misspelled but similar-looking URLs.

An attacker calls an employee claiming to be a vendor conducting a survey and uses the conversation to gather network details. What technique is this?

Pretexting — creating a fabricated scenario to manipulate a victim.

An unauthorized person follows an employee through a secured door by walking closely behind them. What is this called?

Tailgating / Piggybacking — physically following an authorized person into a restricted area.

An attacker stands behind someone at a coffee shop and watches them type their banking password. What is this?

Shoulder Surfing — observing someone's screen or keyboard to steal credentials.

A security team discovers that a competitor's discarded documents contained network diagrams. What technique did the attacker use?

Dumpster Diving — searching discarded materials for sensitive information.

Malware on a workstation records every keystroke made and sends them to a remote server. What type of malware is this?

Keylogger — captures keystrokes and input from a device.

Software is installed on an executive's computer that secretly records their screen and sends screenshots to an attacker. What is this?

Spyware — designed to obtain information about an individual or organization.

A virus on a system lies dormant until a specific date, then deletes all files. What malware components are described?

Trigger (the date) and Payload (file deletion) — components of a virus.

Malware spreads automatically across a network by exploiting an unpatched vulnerability in a file-sharing service without user interaction. What type is this?

Worm — spreads itself, often via attacks on vulnerable services.

A program appears to be a free game download but secretly opens a backdoor for remote access. What type of malware is this?

Trojan — disguised as legitimate software.

An attacker gains admin access to a server and installs software that hides their presence and maintains persistent access. What is this?

Rootkit — allows attackers to access a system through a backdoor while hiding their presence.

A piece of malware hides inside a Word macro and only activates when a specific employee opens a file. What is this?

Logic Bomb — code that activates when set conditions are met.

Malware is detected that never writes files to disk and only runs in system memory. What type is this?

Fileless Malware — operates entirely in memory without writing files to disk.

An attacker compromises 10,000 home computers and uses them to send spam. What has the attacker created?

Botnet — a network of compromised systems controlled by an attacker.

A threat actor has maintained persistent, undetected access to a government network for 18 months. What type of threat actor is this?

Advanced Persistent Threat (APT) — sophisticated, long-term attackers, often nation-state sponsored.

A vendor's software update is compromised before delivery and contains malicious code. What type of attack is this?

Supply Chain Attack — targets less-secure elements in the supply chain.

A developer discovers a critical vulnerability in widely used software and there is no available patch. What is this called?

Zero-Day Vulnerability — a vulnerability with no available fix.

An attacker tries thousands of common passwords against a single account. What attack is this?

Brute Force Password Attack — iterates through passwords until one works.

An attacker tries the password "Summer2024!" against 5,000 different accounts. What attack is this?

Password Spraying — attempts one or few passwords against many accounts.

A rainbow table is used to crack a password hash. What defensive technique would have prevented this?

Salting — adding a random value to passwords before hashing makes rainbow tables ineffective.

An analyst finds unusual log entries showing a valid admin account logging in from two countries simultaneously. What is the most likely indicator?

Indicator of Compromise (IoC) — evidence that suggests a system may have been breached.

Malware on a system communicates with an external server to receive commands. What is that external server called?

Command and Control (C2) server — infrastructure used by attackers to communicate with compromised systems.

An attacker uses AI-generated video of a CEO to authorize a fraudulent wire transfer. What technique is this?

Deepfake — AI-generated synthetic media used to impersonate individuals.

Threat intelligence shows attackers are actively exploiting a specific vulnerability in the wild. This is an example of what?

Indicator of Attack (IoA) — evidence suggesting an attack is in progress.

A researcher gathers information about a company using LinkedIn, public DNS records, and job postings before a pen test. What is this process?

OSINT (Open Source Intelligence) / Passive Reconnaissance — gathering information from publicly available sources.

A software vendor's hardware component is found to contain a hidden chip that sends data to a foreign government. What type of attack is this?

Supply Chain / Hardware Supply Chain Attack — malicious components inserted during manufacturing or distribution.

An organization places its public-facing web servers in a separate network zone between the internet and internal network. What is this zone called?

DMZ (Demilitarized Zone) / Screened Subnet — contains systems exposed to less-trusted areas.

A company wants to ensure that if one of its cloud VMs is compromised, the attacker cannot access other VMs. What security principle addresses this?

Microsegmentation — divides a network into very small zones to limit lateral movement.

A cloud environment automatically adds more servers during peak hours and removes them when demand drops. What concept is this?

Elasticity — automatically provisioning and de-provisioning resources based on demand.

A company uses code to automatically deploy and configure its cloud infrastructure rather than manual setup. What is this called?

Infrastructure as Code (IaC) — automating provisioning and management through scripted code.

An organization stores data in both its own data center and a public cloud, with workloads moving between them. What cloud model is this?

Hybrid Cloud — blends public, private, and/or community cloud services.

A university shares a cloud environment exclusively with other educational institutions. What cloud model is this?

Community Cloud — multi-tenant environment limited to members of a specific community.

A company's private cloud cannot handle a surge in demand so it temporarily uses a public cloud. What is this called?

Public Cloud Bursting — leveraging public cloud when private cloud capacity is exceeded.

An organization wants to prevent a compromised virtual machine from accessing resources of neighboring VMs on the same host. What attack are they trying to prevent?

VM Escape — attacker leverages VM access to intrude upon resources of other VMs.

A cloud security team discovers hundreds of forgotten virtual machine instances running and accumulating costs. What problem is this?

Virtual Machine Sprawl — abandoned VM instances that accrue costs and security issues.

A CASB solution sits directly in the data path between users and their cloud applications. What type of CASB is this?

Inline CASB — physically or logically resides in the connection path.

A CASB integrates with a cloud provider's API to monitor user activity without being in the data path. What type is this?

API-Based CASB — interacts directly with the cloud provider through its API.

A company wants to verify that its cloud provider complies with security standards. What role does the independent reviewer play?

Cloud Auditor — provides third-party assessment of cloud services.

An organization builds its app as a collection of small, independently deployable services rather than one large application. What architecture is this?

Microservices — application broken into small, independent services.

Developers deploy functions to the cloud without managing any underlying servers or infrastructure. What model is this?

Serverless Computing — the provider manages infrastructure; users deploy functions only.

A Zero Trust architecture requires every access request to be verified, even from inside the network. What principle does this implement?

Zero Trust — presumes no trust boundary; every action is validated upon request.

In a Zero Trust model, what component evaluates access requests against policy and grants or denies access?

Policy Engine — makes policy decisions using rules and external systems like threat intelligence.

A Zero Trust system checks whether a user's device is patched and compliant before allowing access. What Zero Trust concept is this?

Adaptive Identity — context-based authentication considering device and location.

A company requires all remote admin access to servers to go through a single hardened intermediary system. What is this called?

Jump Server / Bastion Host — a hardened gateway for accessing systems in a secure zone.

An organization segments its network so that guest Wi-Fi, employee workstations, and servers are all on separate VLANs. What security concept is this?

Network Segmentation / Network Hardening — using VLANs to separate different trust levels.

An embedded medical device cannot receive patches due to vendor limitations. What is the best compensating control?

Network Segmentation / Physical Isolation — separate the device from other systems to limit exposure.

A forensic investigator arrives at a compromised workstation. What should they collect first according to proper procedure?

Most volatile data first — CPU registers/cache, then RAM, per the Order of Volatility.

A legal team notifies IT that they must preserve all emails and documents related to an ongoing lawsuit. What is this called?

Legal Hold — a directive to preserve potentially relevant data and halt normal deletion.

A forensic analyst creates a bit-for-bit copy of a hard drive before examining it. What is this copy called?

Forensic Image — captures every sector including deleted files and unallocated space.

A forensic examiner generates an MD5 hash of evidence before and after analysis. Why?

To verify integrity — matching hashes confirm the evidence has not been altered.

A forensic investigator connects a suspect drive using a device that prevents any data from being written to it. What is this device?

Write Blocker — prevents data from being written to the original evidence drive.

An investigator recovers deleted files by searching raw disk sectors for known file headers. What technique is this?

Carving — recovering deleted files without relying on the file system.

An analyst notices an image file is unusually large for its resolution. What forensic concern should they investigate?

Steganography — data may be hidden inside the image file.

A hacker modifies the creation and modification timestamps on files to cover their tracks. What anti-forensic technique is this?

Timestomping — modifying timestamps to conceal when files were created or accessed.

A company's SIEM generates an alert for a legitimate IT admin running a routine script. What type of alert is this?

False Positive — legitimate activity incorrectly flagged as malicious.

A SIEM fails to alert on a real intrusion because the attack pattern was not in its rule set. What is this called?

False Negative — failure to detect actual malicious activity.

A SIEM correlates multiple failed logins followed by a successful login from the same IP. What is the SIEM doing?

Correlation — linking related events across sources to identify potential incidents.

An organization wants to automatically close firewall ports when its SIEM detects a specific attack signature. What platform enables this?

SOAR (Security Orchestration, Automation, and Response) — automates responses across multiple systems.

A security team proactively searches for signs of compromise in their environment without a triggering alert. What activity is this?

Threat Hunting — adopting an attacker's mindset to seek undetected compromises.

After a security incident is contained, analysts meet to discuss what happened and how to improve. What is this meeting called?

Lessons Learned — post-incident review to improve future response.

What are the six phases of incident response in order?

Preparation, Detection, Containment, Eradication, Recovery, Lessons Learned.

An analyst discovers malware on a workstation and disconnects it from the network. What phase of incident response is this?

Containment — limiting the spread or impact of an incident.

After removing malware from a system and patching the vulnerability it exploited, what phase comes next?

Recovery — restoring systems and verifying they operate normally.

A SOC analyst receives a threat feed showing malicious IP addresses and imports them into the firewall blocklist. What is this called?

Threat Intelligence Integration — using external threat data to improve detection.

An organization shares threat indicators with peer companies in the same industry using an automated standard. What standard is used?

STIX/TAXII — Structured Threat Information Expression / Trusted Automated eXchange.

A security team discovers unusual outbound traffic to a foreign IP at 3 AM from a server that should be idle. What should they examine?

Indicators of Compromise (IoC) and network logs — telltale signs of an attack or data exfiltration.

A pen tester is given full network diagrams, credentials, and system documentation before testing. What environment type is this?

Known Environment (White Box) — testing performed with full knowledge of the target.

A pen tester is given no information about the target and must find their own way in. What environment is this?

Unknown Environment (Black Box) — replicates what an attacker would encounter.

A pen tester gains initial access to a workstation and uses it to move to a domain controller. What technique is this?

Pivoting / Lateral Movement — using initial compromise to access other systems.

A pen tester exploits a vulnerability to gain standard user access and then uses a local exploit to gain admin rights. What is the second step called?

Privilege Escalation — shifting from initial access to more advanced privileges.

A security assessment is performed by an internal team to evaluate controls. An audit of the same scope is performed by an external party. What is the key difference?

Audits must be performed by independent auditors; assessments can be internal.

A vulnerability scanner finds a critical flaw in a web application but the development team has no patch available. What should the organization do?

Implement compensating controls (e.g., WAF rule, network segmentation) and document a risk exception.

A CVSS score of 9.5 is assigned to a newly discovered vulnerability. How should it be classified?

Critical — CVSS scores of 9.0–10.0 are classified as Critical severity.

A vulnerability scanner runs with valid domain credentials before the scan. What type of scan is this?

Credentialed Scan — allows deeper inspection of system internals.

An organization scans its network from outside without any authentication to see what an attacker would see. What scan type is this?

Non-Credentialed Scan — simulates an outsider's view of exposed vulnerabilities.

A developer submits code and it is automatically tested and merged into the main repository. What practice is this?

Continuous Integration (CI) — consistently checking code into a shared repository.

A company categorizes its data as Public, Internal, Confidential, and Restricted. What process is this?

Data Classification — categorizing data by sensitivity level.

An organization applies labels to physical files indicating their classification level. What is this?

Data Labeling — applying classification markings to data assets.

A healthcare company must protect patient records under a U.S. federal law. What regulation applies?

HIPAA — protects health information in the United States.

A publicly traded company must ensure financial data integrity and IT controls under a U.S. law. What regulation applies?

SOX (Sarbanes-Oxley Act) — requires accurate financial reporting and IT controls.

A company operating in Europe must comply with strict rules about how it collects and processes personal data. What regulation applies?

GDPR (General Data Protection Regulation) — protects personal information in the EU.