Security+ certification with practice questions

The CompTIA Security+ is a well-known entry-level information security certification designed for cyber security professionals and those seeking entering the field. We wrote about it in a previous article. I recently got this certificate and I would like to share my experience with those willing to give it a try. An important note, the knowledge ‘objective areas’ have been updated in the 2024 certificate iteration (SY0-701):

1. General Security Concepts
2. Threats, Vulnerabilities, and Mitigations
3. Security Architecture
4. Security Operations
5. Security Program Management and Oversight

Exam considerations

You will have 90 minutes to answer up to 90 questions (or 120 minutes in case you are non-English speaking native). The total score is between 100 and 900 points with a passing scaled score of 750. The exam combines a few Performance-Based Questions (PBQs) with around 70 to 80 multiple choice questions.

The PBQs are essentially interactive questions where you are presented with a simplified interface of a network diagram or a configuration panel. You then investigate and act on the interactive UI to solve the PBQ, which are scored on a scale of points rather than correct/not correct.

Exam quirks

The exam often includes vague questions, such as questions with two or three possible correct answers, but only one is correct. This is apparently a notorious feature of CompTIA exams. One way to tackle them is to apply your knowledge and logic, and a bit of intuition. But sometimes common sense might deceive you: my advice is to carefully apply the logic to the exact question formulation instead visualizing the real problem at hand, and eventually move on.

How to prepare

How to approach the exam preparation widely depends on your current knowledge and past experience.

Beginners in IT and cyber security might need to study and practice a bit of networking and general security concepts. The Coursera Bits and Bytes of Computer Networking and Foundation of Cyber Security by Google are great resources for starters. Following, Jason Dion’s Udemy Security+ course gives a more in-depth overview to get acquainted with all the Security+ topics. Still, this is not enough and it is highly recommended to study and practice with the Professor’s Messer’s Course Notes (the videos are for free) and the Security+ Study Guide by Mike Chaple, which I find to be the best two sources. Do not trust the free practice questions you find online as they are often subpar to the real exam.

More experienced candidates can apply the strategy I followed: assess your readiness level directly with two-three practice exams from the above mentioned sources. This will give you an estimate of where you stand. Note down the questions you missed or found difficult, and study in detail the related chapters. Then, rinse and repeat till you are comfortable to take the test.

Practice questions

Below I have assembled a series of questions similar to those you can find on the real exam.

1. An organization implements a quarterly risk assessment process, conducts tabletop exercises, and updates policies based on identified gaps. Which category of security controls is primarily being used?

A. Technical
B. Operational
C. Managerial
D. Physical

2. A government worker copies internal data on a removable device and then exfiltrates it to pass this information to a corrupt organization. What likely motivation can the attacker have?

A. Political
B. Revenge
C. Financial gain
D. Blackmail

3. The development team at a scaleup company applies an IaC approach to provision and deploy their infrastructure. The information security officer creates a script that checks for hard-coded API keys whenever developers push new code to the repository. What concept best described this automation use case?

A. User provisioning
B. Code signing
C. Guard rails
D. Continuous delivery

4. In the domain of PCI DSS, tokenisation is often preferred over AES field-level encryption for storing Primary Accounts Numbers because it:

A. Removes the sensitive data entirely and can take that data store out of PCI scope
B. Accelerates client analytics by keeping the sensitive data in clear text
C. Produces stronger, irreversible ciphertext than AES
D. Uses hashing, making the sensitive data unrecoverable

5. Which protocol is commonly used for automation in security configuration assessments?

A. SNMP
B. SCAP
C. LDAP
D. ICMP

6. In the ZTNA, the component that actually makes the allow / deny decision after evaluating device posture, identity, and contextual signals is the:

A. Policy Enforcement Point (PEP)
B. Trust Algorithm
C. Policy Engine
D. Policy Administrator

7. A security professional conducts a penetration test on behalf of an organization. She discovers a TCP/UDP port 161 exposed to the Internet on one of the company servers. What should she note as a potential attack surface in her report to the company?

A. An exposed UPS management system
B. An exposed data bucket
C. An exposed SNMP instance
D. An exposed print server

You can find the answers here.

Photo by Trang TRIEU on Unsplash.