CompTIA Security+ Practice Questions: Implementation

48 free, exam-style CompTIA Security+ (SY0-701) practice questions covering Implementation. Each question shows the correct answer and a clear explanation. Ready for the real thing? Take the full timed quiz below.

🚀 Take the full CompTIA Security+ quiz 📘 CompTIA Security+ study guide

Q1. Which authentication protocol uses tickets and is resistant to replay attacks?

Explanation: Kerberos uses time-sensitive tickets to authenticate users and services while preventing replay attacks. Learn more.

Q2. Which cryptographic algorithm is asymmetric?

Explanation: RSA is an asymmetric algorithm that uses public/private key pairs, unlike symmetric algorithms like AES. Learn more.

Q3. What does TLS primarily provide for network communications?

Explanation: Transport Layer Security (TLS) provides encryption for confidentiality and message integrity checks. Learn more.

Q4. What is the PRIMARY risk of using WEP for wireless security?

Explanation: WEP's encryption can be broken in minutes using readily available tools due to cryptographic weaknesses. Learn more.

Q5. Which protocol is used to securely manage network devices?

Explanation: SSH provides encrypted command-line access for secure remote device management. Learn more.

Q6. What is the PRIMARY purpose of hashing?

Explanation: Hashing creates fixed-size outputs (hashes) used to verify data integrity through checksums. Learn more.

Q7. What is the PRIMARY purpose of a digital certificate?

Explanation: Digital certificates bind cryptographic keys to identities and are verified by certificate authorities. Learn more.

Q8. Which port is typically used for secure web browsing?

Explanation: HTTPS (secure web traffic) uses TCP port 443 by default. Learn more.

Q9. Which authentication factor is 'something you are'?

Explanation: Biometrics like fingerprints represent 'something you are' in multi-factor authentication. Learn more.

Q10. What is the PRIMARY benefit of salting passwords?

Explanation: Salting adds random data to passwords before hashing, making precomputed attacks impractical. Learn more.

Q11. Which encryption mode is used for wireless networks with WPA2?

Explanation: CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) is used with WPA2. Learn more.

Q12. What is the PRIMARY purpose of a certificate revocation list (CRL)?

Explanation: CRLs contain certificates that have been revoked before their expiration date. Learn more.

Q13. Which protocol is used for secure email transmission?

Explanation: S/MIME provides encryption and digital signatures for secure email communication. Learn more.

Q14. What is the PRIMARY purpose of steganography?

Explanation: Steganography conceals information within other files like images or audio. Learn more.

Q15. Which authentication protocol is used for dial-up and VPN services?

Explanation: RADIUS provides centralized authentication for remote access services. Learn more.

Q16. Which control would BEST protect against SQL injection?

Explanation: Proper input validation and parameterized queries prevent SQL injection attacks. Learn more.

Q17. Which authentication protocol is used for single sign-on in web applications?

Explanation: SAML enables SSO by exchanging authentication data between identity providers and service providers. Learn more.

Q18. Which cryptographic concept ensures a message hasn't been altered?

Explanation: Integrity mechanisms like hashes and digital signatures detect message tampering. Learn more.

Q19. Which control would BEST protect against brute force attacks?

Explanation: Account lockouts after failed attempts prevent systematic password guessing. Learn more.

Q20. Which protocol is used for secure file transfer?

Explanation: SFTP provides secure file transfer over SSH encrypted channels. Learn more.

Q21. Which control would BEST protect against ARP spoofing?

Explanation: Dynamic ARP inspection validates ARP packets to prevent spoofing attacks. Learn more.

Q22. Which protocol is used for secure directory services?

Explanation: LDAPS provides encrypted LDAP directory service access over SSL/TLS. Learn more.

Q23. Which control would BEST protect against cross-site scripting (XSS)?

Explanation: Proper input handling and output encoding neutralize XSS attack vectors. Learn more.

Q24. Which cryptographic algorithm is used for digital signatures?

Explanation: RSA can create digital signatures by encrypting hashes with private keys. Learn more.

Q25. Which protocol is used for secure time synchronization?

Explanation: Network Time Security (NTS) provides authenticated time synchronization. Learn more.

Q26. Which control would BEST protect against rainbow table attacks?

Explanation: Salting passwords makes precomputed hash tables ineffective. Learn more.

Q27. Which protocol is used for secure remote command execution?

Explanation: SSH provides encrypted command-line access to remote systems. Learn more.

Q28. Which control would BEST protect against MAC spoofing?

Explanation: Switch port security can limit MAC addresses per port to prevent spoofing. Learn more.

Q29. Which protocol is used for secure VoIP communications?

Explanation: Secure Real-time Transport Protocol encrypts VoIP media streams. Learn more.

Q30. Which control would BEST protect against DNS spoofing?

Explanation: DNSSEC adds cryptographic authentication to DNS responses. Learn more.

Q31. Which protocol is used for secure DNS queries?

Explanation: DNS over HTTPS encrypts DNS queries within HTTPS sessions. Learn more.

Q32. Which of the following is an example of 'something you have' in multi-factor authentication (MFA)?

Explanation: MFA combines two or more different types of authentication factors. 'Something you have' refers to a physical object like a smart card, hardware token, or mobile phone (for OTP apps). Learn more.

Q33. A company wants to ensure that sensitive data stored on laptops is protected even if a laptop is lost or stolen. Which of the following controls would be MOST effective?

Explanation: Full-disk encryption encrypts all data on the hard drive. If the laptop is lost or stolen, the data remains unreadable without the correct decryption key or password, protecting data at rest. Learn more.

Q34. In cryptography, what is the purpose of a 'salt' when hashing passwords?

Explanation: A salt is random data added to each password before it's hashed. This ensures that even if two users have the same password, their stored hashes will be different, rendering precomputed rainbow tables ineffective. Learn more.

Q35. What is the primary purpose of using a VPN (Virtual Private Network)?

Explanation: VPNs establish an encrypted tunnel between a client device and a VPN server, allowing users to securely access private networks or browse the internet with enhanced privacy and security, especially over public Wi-Fi. Learn more.

Q36. Which of the following is a key component of a Public Key Infrastructure (PKI) responsible for issuing and revoking digital certificates?

Explanation: The Certificate Authority (CA) is the trusted entity in a PKI that issues, manages, revokes, and renews digital certificates, which bind public keys to identities. Learn more.

Q37. What is the primary purpose of data masking or tokenization?

Explanation: Data masking (or obfuscation/tokenization) replaces real, sensitive data with structurally similar but fake data. This allows developers or testers to work with realistic datasets in non-production environments without exposing actual sensitive information. Learn more.

Q38. A security team is implementing controls to prevent unauthorized software from running on endpoints. Which technology would be MOST effective for this?

Explanation: Application whitelisting (or allowlisting) allows only explicitly approved applications to run on a system, effectively blocking all other software, including malware or unauthorized tools. Learn more.

Q39. Which of the following is a characteristic of symmetric encryption?

Explanation: Symmetric encryption algorithms (like AES) use a single, shared secret key for both encrypting and decrypting data. It is generally faster than asymmetric encryption and suitable for bulk data encryption. Learn more.

Q40. Which of the following protocols is commonly used to provide centralized authentication, authorization, and accounting (AAA) for network access?

Explanation: RADIUS (Remote Authentication Dial-In User Service) is a networking protocol that provides centralized AAA management for users who connect and use a network service, commonly used for VPNs, wireless networks, and dial-up access. Learn more.

Q41. Which of the following data states is protected by technologies like TLS/SSL and VPNs?

Explanation: Data in transit (or data in motion) is data that is actively moving from one location to another, such as across the internet or through a private network. TLS/SSL and VPNs are designed to encrypt this data to protect it from eavesdropping or modification during transmission. Learn more.

Q42. Which cryptographic algorithm is most efficient for mobile devices and IoT due to low processing power requirements?

Explanation: ECC provides the same level of security as RSA but with much smaller key sizes, making it ideal for resource-constrained devices. Learn more.

Q43. Which protocol is primarily used for authorization (access delegation) rather than authentication?

Explanation: OAuth is an open standard for access delegation, allowing users to grant websites or applications access to their information on other websites without giving them the passwords. Learn more.

Q44. Which cryptographic property ensures that a compromised private key does not compromise past session keys?

Explanation: Perfect Forward Secrecy (PFS) ensures that session keys are unique and ephemeral, so even if the long-term private key is stolen, past sessions cannot be decrypted. Learn more.

Q45. Which technology uses a distributed, decentralized ledger to ensure data integrity and immutability without a central authority?

Explanation: Blockchain is a distributed ledger technology where transactions are recorded in blocks that are cryptographically linked, making the data immutable and tamper-evident. Learn more.

Q46. Which email control helps receiving servers verify that mail is authorized by the sending domain policy?

Explanation: DMARC builds on SPF and DKIM to tell receivers how to handle messages that fail authentication checks. Learn more.

Q47. Which control verifies that software updates came from the trusted publisher and were not altered?

Explanation: Digital signatures provide authenticity and integrity for software packages and updates. Learn more.

Q48. Which control can detect known malicious file hashes on endpoints?

Explanation: EDR products can monitor endpoint activity and detect known malicious files or behaviors. Learn more.

More CompTIA Security+ practice topics