1
CompTIA CertMaster CE Security+ (2025)
— Complete Practice Questions and
Answers with Explanations
An authoritative Domain Name System (DNS) server for a zone creates a
Resource Records Set (RRSet) signed with a zone signing key. What is the
result of this action? - .....ANS...DNS Security Extensions
A cloud service provider (CSP) dashboard provides a view of all applicable
logs for cloud resources and services. When examining the application
programming interface (API) logs, the cloud engineer sees some odd metrics.
Which of the following are examples that the engineer would have concerns
for? (Select all that apply.) - .....ANS...Spike in API calls
&
78% average error rate
A company would like to deploy a software service to monitor traffic and
enforce security policies in their cloud environment. What tool should the
company consider using? - .....ANS...CASB
A Transport Layer Security (TLS) Virtual Private Network (VPN) requires a
remote access server listening on port 443 to encrypt traffic with a client
machine. An IPSec (Internet Protocol Security) VPN can deliver traffic in two
modes. One mode encrypts only the payload of the IP packet. The other mode
encrypts the whole IP packet (header and payload). What are these two
modes? (Select all that apply.) - .....ANS...Tunnel
&
Transport
If managed improperly, which of the following would be most detrimental to
access management of cloud-based storage resources? - .....ANS...Resource
policies
,2
Which of the following is used to review application code for signatures of
known issues before it is packaged as an executable? - .....ANS...Static code
analysis
A security engineer must install an X.509 certificate to a computer system, but
it is not accepted. The system requires a Base64 encoded format. What must
the security engineer execute to properly install this certificate? -
.....ANS...Convert to a .pem file.
Cloud service providers make services available around the world through a
variety of methods. The concept of a zone assumes what type of service level?
(Select all that apply.) - .....ANS...Regional replication
&
High availability
Which of the following reduces the risk of data exposure between containers
on a cloud platform?(Select all that apply.) - .....ANS...Namespaces
&
Control groups
There are several ways to check on the status of an online certificate, but some
introduce privacy concerns. Consider how each of the following is structured,
and select the option with the best ability to hide the identity of the certificate
status requestor. - .....ANS...OCSP stapling
An administrator navigates to the Windows Firewall with Advanced Security.
The inbound rules show a custom rule, which assigned the action, "Allow the
connection" to all programs, all protocols, and all ports with a scope of
192.168.0.0/24. This is an example of what type of security setting? -
.....ANS...ACL
What are the differences between WPA and WPA2? (Select all that apply.) -
.....ANS...Unlike WPA, WPA2 supports an encryption algorithm based on the
, 3
Advanced Encryption Standard (AES) instead of the version of RC4 "patched"
with the Temporal Key Integrity Protocol (TKIP).
&
Unlike WPA, WPA2 uses the Advanced Encryption Standard (AES) cipher with
128-bit keys.
A network analyst reviews risks associated with certificates traveling across a
SSL/TLS. What refers to several techniques that can be used to ensure that
when a client inspects the certificate presented by a server or a code-signed
application, it is inspecting the proper certificate? - .....ANS...Use Certificate
Pinning
Which wireless configurations provide the most up-to-date and secure way of
connecting wireless devices to an office or home network? (Select all that
apply.) - .....ANS...WPA3
&
SAE
An administrator deploys a basic network intrusion detection system (NIDS)
device to identify known attacks. What detection method does this device use?
- .....ANS...Signature-based
Which of the following provides attestation and is signed by a trusted
platform module (TPM)? - .....ANS...Measured boot
A support technician reviews a computer's boot integrity capabilities and
discovers that the system supports a measured boot process. Which statement
accurately describes a part of this process? - .....ANS...Measured boot will
record the presence of unsigned kernel-level code.
A web server will utilize a directory protocol to enable users to authenticate
with domain credentials. A certificate will be issued to the server to set up a
secure tunnel. Which protocol is ideal for this situation? - .....ANS...LDAPS
CompTIA CertMaster CE Security+ (2025)
— Complete Practice Questions and
Answers with Explanations
An authoritative Domain Name System (DNS) server for a zone creates a
Resource Records Set (RRSet) signed with a zone signing key. What is the
result of this action? - .....ANS...DNS Security Extensions
A cloud service provider (CSP) dashboard provides a view of all applicable
logs for cloud resources and services. When examining the application
programming interface (API) logs, the cloud engineer sees some odd metrics.
Which of the following are examples that the engineer would have concerns
for? (Select all that apply.) - .....ANS...Spike in API calls
&
78% average error rate
A company would like to deploy a software service to monitor traffic and
enforce security policies in their cloud environment. What tool should the
company consider using? - .....ANS...CASB
A Transport Layer Security (TLS) Virtual Private Network (VPN) requires a
remote access server listening on port 443 to encrypt traffic with a client
machine. An IPSec (Internet Protocol Security) VPN can deliver traffic in two
modes. One mode encrypts only the payload of the IP packet. The other mode
encrypts the whole IP packet (header and payload). What are these two
modes? (Select all that apply.) - .....ANS...Tunnel
&
Transport
If managed improperly, which of the following would be most detrimental to
access management of cloud-based storage resources? - .....ANS...Resource
policies
,2
Which of the following is used to review application code for signatures of
known issues before it is packaged as an executable? - .....ANS...Static code
analysis
A security engineer must install an X.509 certificate to a computer system, but
it is not accepted. The system requires a Base64 encoded format. What must
the security engineer execute to properly install this certificate? -
.....ANS...Convert to a .pem file.
Cloud service providers make services available around the world through a
variety of methods. The concept of a zone assumes what type of service level?
(Select all that apply.) - .....ANS...Regional replication
&
High availability
Which of the following reduces the risk of data exposure between containers
on a cloud platform?(Select all that apply.) - .....ANS...Namespaces
&
Control groups
There are several ways to check on the status of an online certificate, but some
introduce privacy concerns. Consider how each of the following is structured,
and select the option with the best ability to hide the identity of the certificate
status requestor. - .....ANS...OCSP stapling
An administrator navigates to the Windows Firewall with Advanced Security.
The inbound rules show a custom rule, which assigned the action, "Allow the
connection" to all programs, all protocols, and all ports with a scope of
192.168.0.0/24. This is an example of what type of security setting? -
.....ANS...ACL
What are the differences between WPA and WPA2? (Select all that apply.) -
.....ANS...Unlike WPA, WPA2 supports an encryption algorithm based on the
, 3
Advanced Encryption Standard (AES) instead of the version of RC4 "patched"
with the Temporal Key Integrity Protocol (TKIP).
&
Unlike WPA, WPA2 uses the Advanced Encryption Standard (AES) cipher with
128-bit keys.
A network analyst reviews risks associated with certificates traveling across a
SSL/TLS. What refers to several techniques that can be used to ensure that
when a client inspects the certificate presented by a server or a code-signed
application, it is inspecting the proper certificate? - .....ANS...Use Certificate
Pinning
Which wireless configurations provide the most up-to-date and secure way of
connecting wireless devices to an office or home network? (Select all that
apply.) - .....ANS...WPA3
&
SAE
An administrator deploys a basic network intrusion detection system (NIDS)
device to identify known attacks. What detection method does this device use?
- .....ANS...Signature-based
Which of the following provides attestation and is signed by a trusted
platform module (TPM)? - .....ANS...Measured boot
A support technician reviews a computer's boot integrity capabilities and
discovers that the system supports a measured boot process. Which statement
accurately describes a part of this process? - .....ANS...Measured boot will
record the presence of unsigned kernel-level code.
A web server will utilize a directory protocol to enable users to authenticate
with domain credentials. A certificate will be issued to the server to set up a
secure tunnel. Which protocol is ideal for this situation? - .....ANS...LDAPS
