COMPTIA SECURITY + EXAM 2025
QUESTIONS AND ANSWERS
Reconnaissance - ....ANSWER ...-Reconnaissance is the process of gathering
information about an organization, including:
System hardware information
Network configuration
Individual user information
Social Engineering - ....ANSWER ...-Social engineering is the process of
manipulating others to give you sensitive information such as:
Intimidation
Sympathy
Technical - ....ANSWER ...-A technical approach is using software or utilities to
find vulnerabilities in a system.
Port scan
Ping sweep
Breach - ....ANSWER ...-A breach is the penetration of system defenses, achieved
through information gathered by reconnaissance to penetrate the system defenses and
gain unauthorized access.
...©️ 2025, ALL RIGHTS RESERVED 1
,Escalate Privileges - ....ANSWER ...-Escalating privileges is one of the primary
objectives of an attacker and can be achieved by configuring additional (escalated) rights
to do more than just breaching the system.
Create a Backdoor - ....ANSWER ...-Creating a backdoor is an alternative method
of accessing an application or operating system for troubleshooting. Hackers often
create backdoors to exploit a system without being detected.
Stage - ....ANSWER ...-Staging a computer involves preparing it to perform
additional tasks in the attack, such as installing software designed to attack other
systems. This is an optional step.
Exploit - ....ANSWER ...-An exploitation takes advantage of known vulnerabilities
in software and systems. Types of exploitation include:
Stealing information
Denying services
Crashing systems
Modifying/Altering information
Layering - ....ANSWER ...-Layering involves implementing multiple security
strategies to protect the same asset. Defense in depth or security in depth is the premise
that no single layer is completely effective in securing the assets. The most secure
system/network has many layers of security and eliminates single points of failure.
Principle of Least Privilege - ....ANSWER ...-The principle of least privilege states
that users or groups are given only the access they need to do their job and nothing
...©️ 2025, ALL RIGHTS RESERVED 2
,more. When assigning privileges, be aware that it is often easier to give a user more
access when they need it than to take away privileges that have already been granted.
Variety - ....ANSWER ...-Defensive layers should have variety and be diverse;
implementing multiple layers of the exact same defense does not provide adequate
strength against attacks.
Randomness - ....ANSWER ...-Randomness in security is the constant change in
personal habits and passwords to prevent anticipated events and exploitation.
Simplicity - ....ANSWER ...-Security measures should provide protection, but not
be so complex that you do not understand and use them.
Sophisticated Attacks - ....ANSWER ...-Sophisticated attacks are complex, making
them difficult to detect and thwart. Sophisticated attacks:
Use common internet tools and protocols, making it difficult to distinguish an attack
from legitimate traffic.
Vary their behavior, making the same attack appear differently each time.
Proliferation of Attack Software - ....ANSWER ...-A wide variety of attack tools are
available on the internet, allowing anyone with a moderate level of technical knowledge
to download the tools and run an attack.
Attack Scale and Velocity - ....ANSWER ...-The scale and velocity of an attack can
grow to millions of computers in a matter of minutes or days due to its ability to
proliferate on the internet. Because modern attacks are not limited to user interactions,
such as using a floppy disk, to spread an attack from machine to machine, the attacks
often affect very large numbers of computers in a relatively short amount of time.
...©️ 2025, ALL RIGHTS RESERVED 3
, Confidentiality - ....ANSWER ...-Ensures that data is not disclosed to unintended
persons. This is provided through encryption, which converts the data into a form that
makes it less likely to be usable by an unintended recipient.
Integrity - ....ANSWER ...-ensures that data is not modified or tampered with. This
is provided through hashing.
Availability - ....ANSWER ...-which ensures the uptime of the system so that data
is available when needed
Non-repudiation - ....ANSWER ...-provides validation of a message's origin. For
example, if a user sends a digitally signed email, they cannot claim later that the email
was not sent. Non-repudiation is enforced by digital signatures.
CIA of Security - ....ANSWER ...-refers to confidentiality, integrity, and availability.
These are often identified as the three main goals of security.
Physical security - ....ANSWER ...-which includes all hardware and software
necessary to secure data, such as firewalls and antivirus software.
Users and administrators - ....ANSWER ...-which are the people who use the
software and the people who manage the software, respectively.
Policies - ....ANSWER ...-which are the rules an organization implements to
protect information.
Risk management - ....ANSWER ...-is the process of identifying security issues and
deciding which countermeasures to take in reducing risk to an acceptable level. The
main objective is to reduce the risk for an organization to a level that is deemed
acceptable by senior management.
...©️ 2025, ALL RIGHTS RESERVED 4
QUESTIONS AND ANSWERS
Reconnaissance - ....ANSWER ...-Reconnaissance is the process of gathering
information about an organization, including:
System hardware information
Network configuration
Individual user information
Social Engineering - ....ANSWER ...-Social engineering is the process of
manipulating others to give you sensitive information such as:
Intimidation
Sympathy
Technical - ....ANSWER ...-A technical approach is using software or utilities to
find vulnerabilities in a system.
Port scan
Ping sweep
Breach - ....ANSWER ...-A breach is the penetration of system defenses, achieved
through information gathered by reconnaissance to penetrate the system defenses and
gain unauthorized access.
...©️ 2025, ALL RIGHTS RESERVED 1
,Escalate Privileges - ....ANSWER ...-Escalating privileges is one of the primary
objectives of an attacker and can be achieved by configuring additional (escalated) rights
to do more than just breaching the system.
Create a Backdoor - ....ANSWER ...-Creating a backdoor is an alternative method
of accessing an application or operating system for troubleshooting. Hackers often
create backdoors to exploit a system without being detected.
Stage - ....ANSWER ...-Staging a computer involves preparing it to perform
additional tasks in the attack, such as installing software designed to attack other
systems. This is an optional step.
Exploit - ....ANSWER ...-An exploitation takes advantage of known vulnerabilities
in software and systems. Types of exploitation include:
Stealing information
Denying services
Crashing systems
Modifying/Altering information
Layering - ....ANSWER ...-Layering involves implementing multiple security
strategies to protect the same asset. Defense in depth or security in depth is the premise
that no single layer is completely effective in securing the assets. The most secure
system/network has many layers of security and eliminates single points of failure.
Principle of Least Privilege - ....ANSWER ...-The principle of least privilege states
that users or groups are given only the access they need to do their job and nothing
...©️ 2025, ALL RIGHTS RESERVED 2
,more. When assigning privileges, be aware that it is often easier to give a user more
access when they need it than to take away privileges that have already been granted.
Variety - ....ANSWER ...-Defensive layers should have variety and be diverse;
implementing multiple layers of the exact same defense does not provide adequate
strength against attacks.
Randomness - ....ANSWER ...-Randomness in security is the constant change in
personal habits and passwords to prevent anticipated events and exploitation.
Simplicity - ....ANSWER ...-Security measures should provide protection, but not
be so complex that you do not understand and use them.
Sophisticated Attacks - ....ANSWER ...-Sophisticated attacks are complex, making
them difficult to detect and thwart. Sophisticated attacks:
Use common internet tools and protocols, making it difficult to distinguish an attack
from legitimate traffic.
Vary their behavior, making the same attack appear differently each time.
Proliferation of Attack Software - ....ANSWER ...-A wide variety of attack tools are
available on the internet, allowing anyone with a moderate level of technical knowledge
to download the tools and run an attack.
Attack Scale and Velocity - ....ANSWER ...-The scale and velocity of an attack can
grow to millions of computers in a matter of minutes or days due to its ability to
proliferate on the internet. Because modern attacks are not limited to user interactions,
such as using a floppy disk, to spread an attack from machine to machine, the attacks
often affect very large numbers of computers in a relatively short amount of time.
...©️ 2025, ALL RIGHTS RESERVED 3
, Confidentiality - ....ANSWER ...-Ensures that data is not disclosed to unintended
persons. This is provided through encryption, which converts the data into a form that
makes it less likely to be usable by an unintended recipient.
Integrity - ....ANSWER ...-ensures that data is not modified or tampered with. This
is provided through hashing.
Availability - ....ANSWER ...-which ensures the uptime of the system so that data
is available when needed
Non-repudiation - ....ANSWER ...-provides validation of a message's origin. For
example, if a user sends a digitally signed email, they cannot claim later that the email
was not sent. Non-repudiation is enforced by digital signatures.
CIA of Security - ....ANSWER ...-refers to confidentiality, integrity, and availability.
These are often identified as the three main goals of security.
Physical security - ....ANSWER ...-which includes all hardware and software
necessary to secure data, such as firewalls and antivirus software.
Users and administrators - ....ANSWER ...-which are the people who use the
software and the people who manage the software, respectively.
Policies - ....ANSWER ...-which are the rules an organization implements to
protect information.
Risk management - ....ANSWER ...-is the process of identifying security issues and
deciding which countermeasures to take in reducing risk to an acceptable level. The
main objective is to reduce the risk for an organization to a level that is deemed
acceptable by senior management.
...©️ 2025, ALL RIGHTS RESERVED 4