Comptia Security + Test Questions with Correct Answers Fully Solved Latest 2025
Reconnaissance - Answers Reconnaissance is the process of gathering information about an
organization, including:
System hardware information
Network configuration
Individual user information
Social Engineering - Answers Social engineering is the process of manipulating others to give you
sensitive information such as:
Intimidation
Sympathy
Technical - Answers A technical approach is using software or utilities to find vulnerabilities in a system.
Port scan
Ping sweep
Breach - Answers A breach is the penetration of system defenses, achieved through information
gathered by reconnaissance to penetrate the system defenses and gain unauthorized access.
Escalate Privileges - Answers Escalating privileges is one of the primary objectives of an attacker and can
be achieved by configuring additional (escalated) rights to do more than just breaching the system.
Create a Backdoor - Answers Creating a backdoor is an alternative method of accessing an application or
operating system for troubleshooting. Hackers often create backdoors to exploit a system without being
detected.
Stage - Answers Staging a computer involves preparing it to perform additional tasks in the attack, such
as installing software designed to attack other systems. This is an optional step.
Exploit - Answers An exploitation takes advantage of known vulnerabilities in software and systems.
Types of exploitation include:
Stealing information
Denying services
Crashing systems
Modifying/Altering information
,Layering - Answers Layering involves implementing multiple security strategies to protect the same
asset. Defense in depth or security in depth is the premise that no single layer is completely effective in
securing the assets. The most secure system/network has many layers of security and eliminates single
points of failure.
Principle of Least Privilege - Answers The principle of least privilege states that users or groups are given
only the access they need to do their job and nothing more. When assigning privileges, be aware that it
is often easier to give a user more access when they need it than to take away privileges that have
already been granted.
Variety - Answers Defensive layers should have variety and be diverse; implementing multiple layers of
the exact same defense does not provide adequate strength against attacks.
Randomness - Answers Randomness in security is the constant change in personal habits and passwords
to prevent anticipated events and exploitation.
Simplicity - Answers Security measures should provide protection, but not be so complex that you do
not understand and use them.
Sophisticated Attacks - Answers Sophisticated attacks are complex, making them difficult to detect and
thwart. Sophisticated attacks:
Use common internet tools and protocols, making it difficult to distinguish an attack from legitimate
traffic.
Vary their behavior, making the same attack appear differently each time.
Proliferation of Attack Software - Answers A wide variety of attack tools are available on the internet,
allowing anyone with a moderate level of technical knowledge to download the tools and run an attack.
Attack Scale and Velocity - Answers The scale and velocity of an attack can grow to millions of computers
in a matter of minutes or days due to its ability to proliferate on the internet. Because modern attacks
are not limited to user interactions, such as using a floppy disk, to spread an attack from machine to
machine, the attacks often affect very large numbers of computers in a relatively short amount of time.
Confidentiality - Answers Ensures that data is not disclosed to unintended persons. This is provided
through encryption, which converts the data into a form that makes it less likely to be usable by an
unintended recipient.
Integrity - Answers ensures that data is not modified or tampered with. This is provided through
hashing.
Availability - Answers which ensures the uptime of the system so that data is available when needed
,Non-repudiation - Answers provides validation of a message's origin. For example, if a user sends a
digitally signed email, they cannot claim later that the email was not sent. Non-repudiation is enforced
by digital signatures.
CIA of Security - Answers refers to confidentiality, integrity, and availability. These are often identified as
the three main goals of security.
Physical security - Answers which includes all hardware and software necessary to secure data, such as
firewalls and antivirus software.
Users and administrators - Answers which are the people who use the software and the people who
manage the software, respectively.
Policies - Answers which are the rules an organization implements to protect information.
Risk management - Answers is the process of identifying security issues and deciding which
countermeasures to take in reducing risk to an acceptable level. The main objective is to reduce the risk
for an organization to a level that is deemed acceptable by senior management.
asset - Answers something that has value to the person or organization, such as sensitive information in
a database.
threat - Answers an entity that can cause the loss of an asset or any potential danger to the
confidentiality, integrity, or availability of information or systems, such as a data breach that results in a
database being stolen.
threat agent - Answers (sometimes known as an attacker) is an entity that can carry out a threat, such as
a disgruntled employee who copies a database to a thumb drive and sells it to a competitor.
vulnerability - Answers is a weakness that allows a threat to be carried out, such as a USB port that is
enabled on the server hosting the database or a server room door that is frequently left ajar. USB
devices pose the greatest threat to the confidentiality of data in most secure organizations. There are so
many devices that can support file storage that stealing data has become easy, and preventing it is
difficult.
exploit - Answers a procedure or product that takes advantage of a vulnerability to carry out a threat,
such as when a disgruntled employee waits for the server room door to be left ajar, copies the database
to a thumb drive, and then sells it.
Script kiddies - Answers who download and run attacks available on the internet, but generally are not
technically savvy enough to create their own attacking code or script.
Cybercriminals - Answers who usually seek to exploit security vulnerabilities for some kind of financial
reward or revenge.
, Cyber terrorists - Answers who generally use the Internet to carry out terrorist activities, such as
disrupting network-dependent institutions.
Internal threats - Answers authorized individuals that exploit their inherent privileges to carry out an
attack. This category includes employees (both current and former), janitors, security guards, and even
customers.
External threats - Answers any individuals or groups that attacks a network from the outside and seeks
to gain unauthorized access to data.
Persistent threats - Answers threats seek to gain access to a network and remain there undetected.
With this type of threat, the attacker will go to great lengths to hide their tracks and presence in the
network.
Non-persistent threats - Answers are only concerned with getting into a system and stealing
information. The attack is usually a one-time event, and the attacker typically doesn't care if their
presence is noticed.
advanced persistent threat (APT) - Answers a type of persistent threat carried out by a nation state. An
APT has the goal of continually stealing information without being detected, and the tactics they use are
much more advanced than a traditional persistent threat.
Open-Source Intelligence (OSINT) - Answers Before carrying out an attack, a threat actor will typically
gather open-source intelligence (OSINT) about their target. OSINT is information that is readily available
to the public and doesn't require any type of malicious activity to obtain.
Media - Answers (newspapers, magazines, advertisements)
Internet - Answers (websites, blogs, social media)
Public government data - Answers (public reports, hearings, press conferences, speeches)
Professional and academic publications - Answers (journals, academic papers, dissertations)
Hacktivist - Answers A hacktivist is any individual whose attacks are politically motivated. Instead of
seeking financial gain, hacktivists are looking to defame, shed light on, or cripple an organization or
government. Often times, hacktivists work alone. Occasionally, they will create unified groups with like-
minded hackers. For example, the website wikileaks.org is a repository of leaked government secrets,
some of which have been obtain by hacktivists.
Nation State - Answers A nation state is the most organized, well-funded, and dangerous type of threat
actor. There are two primary motives for nation state attacks (also called state-sponsored attacks).
Competitor - Answers A competitor threat actor carries out attacks on behalf of an organization and
targets competing companies. For example, a payment processing company could hire someone to carry
out a DDoS attack on a competing payment processing company to force users to choose the attacker's
Reconnaissance - Answers Reconnaissance is the process of gathering information about an
organization, including:
System hardware information
Network configuration
Individual user information
Social Engineering - Answers Social engineering is the process of manipulating others to give you
sensitive information such as:
Intimidation
Sympathy
Technical - Answers A technical approach is using software or utilities to find vulnerabilities in a system.
Port scan
Ping sweep
Breach - Answers A breach is the penetration of system defenses, achieved through information
gathered by reconnaissance to penetrate the system defenses and gain unauthorized access.
Escalate Privileges - Answers Escalating privileges is one of the primary objectives of an attacker and can
be achieved by configuring additional (escalated) rights to do more than just breaching the system.
Create a Backdoor - Answers Creating a backdoor is an alternative method of accessing an application or
operating system for troubleshooting. Hackers often create backdoors to exploit a system without being
detected.
Stage - Answers Staging a computer involves preparing it to perform additional tasks in the attack, such
as installing software designed to attack other systems. This is an optional step.
Exploit - Answers An exploitation takes advantage of known vulnerabilities in software and systems.
Types of exploitation include:
Stealing information
Denying services
Crashing systems
Modifying/Altering information
,Layering - Answers Layering involves implementing multiple security strategies to protect the same
asset. Defense in depth or security in depth is the premise that no single layer is completely effective in
securing the assets. The most secure system/network has many layers of security and eliminates single
points of failure.
Principle of Least Privilege - Answers The principle of least privilege states that users or groups are given
only the access they need to do their job and nothing more. When assigning privileges, be aware that it
is often easier to give a user more access when they need it than to take away privileges that have
already been granted.
Variety - Answers Defensive layers should have variety and be diverse; implementing multiple layers of
the exact same defense does not provide adequate strength against attacks.
Randomness - Answers Randomness in security is the constant change in personal habits and passwords
to prevent anticipated events and exploitation.
Simplicity - Answers Security measures should provide protection, but not be so complex that you do
not understand and use them.
Sophisticated Attacks - Answers Sophisticated attacks are complex, making them difficult to detect and
thwart. Sophisticated attacks:
Use common internet tools and protocols, making it difficult to distinguish an attack from legitimate
traffic.
Vary their behavior, making the same attack appear differently each time.
Proliferation of Attack Software - Answers A wide variety of attack tools are available on the internet,
allowing anyone with a moderate level of technical knowledge to download the tools and run an attack.
Attack Scale and Velocity - Answers The scale and velocity of an attack can grow to millions of computers
in a matter of minutes or days due to its ability to proliferate on the internet. Because modern attacks
are not limited to user interactions, such as using a floppy disk, to spread an attack from machine to
machine, the attacks often affect very large numbers of computers in a relatively short amount of time.
Confidentiality - Answers Ensures that data is not disclosed to unintended persons. This is provided
through encryption, which converts the data into a form that makes it less likely to be usable by an
unintended recipient.
Integrity - Answers ensures that data is not modified or tampered with. This is provided through
hashing.
Availability - Answers which ensures the uptime of the system so that data is available when needed
,Non-repudiation - Answers provides validation of a message's origin. For example, if a user sends a
digitally signed email, they cannot claim later that the email was not sent. Non-repudiation is enforced
by digital signatures.
CIA of Security - Answers refers to confidentiality, integrity, and availability. These are often identified as
the three main goals of security.
Physical security - Answers which includes all hardware and software necessary to secure data, such as
firewalls and antivirus software.
Users and administrators - Answers which are the people who use the software and the people who
manage the software, respectively.
Policies - Answers which are the rules an organization implements to protect information.
Risk management - Answers is the process of identifying security issues and deciding which
countermeasures to take in reducing risk to an acceptable level. The main objective is to reduce the risk
for an organization to a level that is deemed acceptable by senior management.
asset - Answers something that has value to the person or organization, such as sensitive information in
a database.
threat - Answers an entity that can cause the loss of an asset or any potential danger to the
confidentiality, integrity, or availability of information or systems, such as a data breach that results in a
database being stolen.
threat agent - Answers (sometimes known as an attacker) is an entity that can carry out a threat, such as
a disgruntled employee who copies a database to a thumb drive and sells it to a competitor.
vulnerability - Answers is a weakness that allows a threat to be carried out, such as a USB port that is
enabled on the server hosting the database or a server room door that is frequently left ajar. USB
devices pose the greatest threat to the confidentiality of data in most secure organizations. There are so
many devices that can support file storage that stealing data has become easy, and preventing it is
difficult.
exploit - Answers a procedure or product that takes advantage of a vulnerability to carry out a threat,
such as when a disgruntled employee waits for the server room door to be left ajar, copies the database
to a thumb drive, and then sells it.
Script kiddies - Answers who download and run attacks available on the internet, but generally are not
technically savvy enough to create their own attacking code or script.
Cybercriminals - Answers who usually seek to exploit security vulnerabilities for some kind of financial
reward or revenge.
, Cyber terrorists - Answers who generally use the Internet to carry out terrorist activities, such as
disrupting network-dependent institutions.
Internal threats - Answers authorized individuals that exploit their inherent privileges to carry out an
attack. This category includes employees (both current and former), janitors, security guards, and even
customers.
External threats - Answers any individuals or groups that attacks a network from the outside and seeks
to gain unauthorized access to data.
Persistent threats - Answers threats seek to gain access to a network and remain there undetected.
With this type of threat, the attacker will go to great lengths to hide their tracks and presence in the
network.
Non-persistent threats - Answers are only concerned with getting into a system and stealing
information. The attack is usually a one-time event, and the attacker typically doesn't care if their
presence is noticed.
advanced persistent threat (APT) - Answers a type of persistent threat carried out by a nation state. An
APT has the goal of continually stealing information without being detected, and the tactics they use are
much more advanced than a traditional persistent threat.
Open-Source Intelligence (OSINT) - Answers Before carrying out an attack, a threat actor will typically
gather open-source intelligence (OSINT) about their target. OSINT is information that is readily available
to the public and doesn't require any type of malicious activity to obtain.
Media - Answers (newspapers, magazines, advertisements)
Internet - Answers (websites, blogs, social media)
Public government data - Answers (public reports, hearings, press conferences, speeches)
Professional and academic publications - Answers (journals, academic papers, dissertations)
Hacktivist - Answers A hacktivist is any individual whose attacks are politically motivated. Instead of
seeking financial gain, hacktivists are looking to defame, shed light on, or cripple an organization or
government. Often times, hacktivists work alone. Occasionally, they will create unified groups with like-
minded hackers. For example, the website wikileaks.org is a repository of leaked government secrets,
some of which have been obtain by hacktivists.
Nation State - Answers A nation state is the most organized, well-funded, and dangerous type of threat
actor. There are two primary motives for nation state attacks (also called state-sponsored attacks).
Competitor - Answers A competitor threat actor carries out attacks on behalf of an organization and
targets competing companies. For example, a payment processing company could hire someone to carry
out a DDoS attack on a competing payment processing company to force users to choose the attacker's
