Quiz: CompTIA Security+ SYO-601
Post-Assessment Quiz 2025 Questions
and Answers
Typically, certain employees of an organization get texts that update them on various IT activities.
If there is a support ticket or downtime, they will receive texts to let them know about the activity.
They have started to receive some messages via text instructing them to call the IT help desk at the
provided number. When they call the help desk number, a recording asks them for their employee
ID.
Assuming that the IT department did not send those texts, which of the following social engineering
attacks is this? - ANSWER✔✔-Smishing
Which of the following social engineering attacks continues to be a primary weapon used by threat
actors? - ANSWER✔✔-Phishing
David, a software engineer, recently bought a brand new laptop because his enterprise follows the
BYOD (bring your own device) model. David was part of a software development project where the
software code was leaked before its release. Further investigation proved that a vulnerability in
David's laptop caused the exposure. David insists he never used the laptop to access any network or
FOR STUDY PURPOSES ONLY COPYRIGHT © 2025 ALL RIGHTS RESERVED 1
, integrate any devices, and the laptop was kept in a vault while not in use. Which of the following
attack vectors was used by the threat actor? - ANSWER✔✔-c. Supply chain
Which category of cybersecurity vulnerability is exploited by attackers before anyone else knows
about it? - ANSWER✔✔-c. Zero day
The company that developed the office productivity software used on both static and mobile devices
by your organization has audited some code and noticed a potential security issue. To address the
issue, they have released and automatically scheduled an update to ensure that all users receive it.
Which of the following might still be vulnerable after the patch? - ANSWER✔✔-c. Firmware
Which of the following types of hackers are strongly motivated by ideology? - ANSWER✔✔-
Hacktivists
Which part of the NIST Cybersecurity frameworks defines the activities needed to attain the
different cybersecurity results? - ANSWER✔✔-b. Framework core
Which type of vulnerability scan mimics the work of a threat actor who has already exploited a
vulnerability and compromised credentials to access the network? - ANSWER✔✔-b. Credentialed
scan
John is appointed as a vulnerability assessment engineer in a financial organization. An audit report
published by a third-party auditing firm revealed that most of the web servers have cross-site
scripting and XML entity injection vulnerabilities. John has been told to perform a vulnerability
assessment on these servers to verify if the audit report is valid. He is also told that he should not
attempt to engage or exploit any vulnerabilities. By applying his knowledge of vulnerability
FOR STUDY PURPOSES ONLY COPYRIGHT © 2025 ALL RIGHTS RESERVED 2
Post-Assessment Quiz 2025 Questions
and Answers
Typically, certain employees of an organization get texts that update them on various IT activities.
If there is a support ticket or downtime, they will receive texts to let them know about the activity.
They have started to receive some messages via text instructing them to call the IT help desk at the
provided number. When they call the help desk number, a recording asks them for their employee
ID.
Assuming that the IT department did not send those texts, which of the following social engineering
attacks is this? - ANSWER✔✔-Smishing
Which of the following social engineering attacks continues to be a primary weapon used by threat
actors? - ANSWER✔✔-Phishing
David, a software engineer, recently bought a brand new laptop because his enterprise follows the
BYOD (bring your own device) model. David was part of a software development project where the
software code was leaked before its release. Further investigation proved that a vulnerability in
David's laptop caused the exposure. David insists he never used the laptop to access any network or
FOR STUDY PURPOSES ONLY COPYRIGHT © 2025 ALL RIGHTS RESERVED 1
, integrate any devices, and the laptop was kept in a vault while not in use. Which of the following
attack vectors was used by the threat actor? - ANSWER✔✔-c. Supply chain
Which category of cybersecurity vulnerability is exploited by attackers before anyone else knows
about it? - ANSWER✔✔-c. Zero day
The company that developed the office productivity software used on both static and mobile devices
by your organization has audited some code and noticed a potential security issue. To address the
issue, they have released and automatically scheduled an update to ensure that all users receive it.
Which of the following might still be vulnerable after the patch? - ANSWER✔✔-c. Firmware
Which of the following types of hackers are strongly motivated by ideology? - ANSWER✔✔-
Hacktivists
Which part of the NIST Cybersecurity frameworks defines the activities needed to attain the
different cybersecurity results? - ANSWER✔✔-b. Framework core
Which type of vulnerability scan mimics the work of a threat actor who has already exploited a
vulnerability and compromised credentials to access the network? - ANSWER✔✔-b. Credentialed
scan
John is appointed as a vulnerability assessment engineer in a financial organization. An audit report
published by a third-party auditing firm revealed that most of the web servers have cross-site
scripting and XML entity injection vulnerabilities. John has been told to perform a vulnerability
assessment on these servers to verify if the audit report is valid. He is also told that he should not
attempt to engage or exploit any vulnerabilities. By applying his knowledge of vulnerability
FOR STUDY PURPOSES ONLY COPYRIGHT © 2025 ALL RIGHTS RESERVED 2
