Free SY0-501 Sample Questions — CompTIA Security+

Free SY0-501 sample questions for the CompTIA Security+ exam. No account required: study at your own pace.

Want an interactive quiz? Take the full SY0-501 practice test

Looking for more? Click here to get the full PDF with 948+ practice questions for $10 for offline study and deeper preparation.

Question 1

A recent audit uncovered a key finding regarding the use of a specific encryption standard in a web application that is used to communicate with business customers. Due to the technical limitations of its customers, the company is unable to upgrade the encryption standard. Which of the following types of controls should be used to reduce the risk created by this scenario?

  • A. Physical
  • B. Detective
  • C. Preventive
  • D. Compensating
Show Answer
Correct Answer:
D. Compensating
Question 2

A security administrator is choosing an algorithm to generate password hashes. Which of the following would offer the BEST protection against offline brute force attacks?

  • A. MD5
  • B. 3DES
  • C. AES
  • D. SHA-1
Show Answer
Correct Answer:
D. SHA-1
Question 3

A security administrator has been conducting an account permissions review that has identified several users who belong to functional groups and groups responsible for auditing the functional groups' actions. Several recent outages have not been able to be traced to any user. Which of the following should the security administrator recommend to preserve future audit log integrity?

  • A. Enforcing stricter onboarding workflow policies
  • B. Applying least privilege to user group membership
  • C. Following standard naming conventions for audit group users
  • D. Restricting audit group membership to service accounts
Show Answer
Correct Answer:
B. Applying least privilege to user group membership
Question 4

A systems administrator is attempting to recover from a catastrophic failure in the datacenter. To recover the domain controller, the systems administrator needs to provide the domain administrator credentials. Which of the following account types is the systems administrator using?

  • A. Shared account
  • B. Guest account
  • C. Service account
  • D. User account
Show Answer
Correct Answer:
D. User account
Question 5

A university is opening a facility in a location where there is an elevated risk of theft. The university wants to protect the desktops in its classrooms and labs. Which of the following should the university use to BEST protect these assets deployed in the facility?

  • A. Visitor logs
  • B. Cable locks
  • C. Guards
  • D. Disk encryption
  • E. Motion detection
Show Answer
Correct Answer:
C. Guards
Question 6

During an incident, a company's CIRT determines it is necessary to observe the continued network-based transactions between a callback domain and the malware running on an enterprise PC. Which of the following techniques would be BEST to enable this activity while reducing the risk of lateral spread and the risk that the adversary would notice any changes?

  • A. Physically move the PC to a separate Internet point of presence
  • B. Create and apply microsegmentation rules
  • C. Emulate the malware in a heavily monitored DMZ segment
  • D. Apply network blacklisting rules for the adversary domain
Show Answer
Correct Answer:
B. Create and apply microsegmentation rules
Question 7

A buffer overflow can result in:

  • A. loss of data caused by unauthorized command execution
  • B. privilege escalation caused by TPM override
  • C. reduced key strength due to salt manipulation
  • D. repeated use of one-time keys
Show Answer
Correct Answer:
A. loss of data caused by unauthorized command execution
Question 8

When considering IoT systems, which of the following represents the GREATEST ongoing risk after a vulnerability has been discovered?

  • A. Difficult-to-update firmware
  • B. Tight integration to existing systems
  • C. IP address exhaustion
  • D. Not using industry standards
Show Answer
Correct Answer:
B. Tight integration to existing systems
Question 9

Adhering to a layered security approach, a controlled access facility employs security guards who verify the authorization of all personnel entering the facility. Which of the following terms BEST describes the security control being employed?

  • A. Administrative
  • B. Corrective
  • C. Deterrent
  • D. Compensating
Show Answer
Correct Answer:
C. Deterrent
Question 10

Which of the following are methods to implement HA in a web application server environment? (Choose two.)

  • A. Load balancers
  • B. Application layer firewalls
  • C. Reverse proxies
  • D. VPN concentrators
  • E. Routers
Show Answer
Correct Answer:
  • A. Load balancers
  • C. Reverse proxies
Question 11

A security analyst is emailing PII in a spreadsheet file to an audit validator for after-actions related to a security assessment. The analyst must make sure the PII data is protected with the following minimum requirements: ✑ Ensure confidentiality at rest. ✑ Ensure the integrity of the original email message. Which of the following controls would ensure these data security requirements are carried out?

  • A. Encrypt and sign the email using S/MIME
  • B. Encrypt the email and send it using TLS
  • C. Hash the email using SHA-1
  • D. Sign the email using MD5
Show Answer
Correct Answer:
A. Encrypt and sign the email using S/MIME
Question 12

The CSIRT is reviewing the lessons learned from a recent incident. A worm was able to spread unhindered throughout the network and infect a large number of computers and server. Which of the following recommendations would be BEST to mitigate the impacts of a similar incident in the future?

  • A. Install a NIDS device at the boundary
  • B. Segment the network with firewalls
  • C. Update all antivirus signatures daily
  • D. Implement application blacklisting
Show Answer
Correct Answer:
B. Segment the network with firewalls
Question 13

A company wants to host a publicly available server that performs the following functions: ✑ Evaluates MX record lookup ✑ Can perform authenticated requests for A and AAA records ✑ Uses RRSIG Which of the following should the company use to fulfill the above requirements?

  • A. DNSSEC
  • B. SFTP
  • C. nslookup
  • D. dig
  • E. LDAPS
Show Answer
Correct Answer:
D. dig
Question 14

An administrator is replacing a wireless router. The configuration of the old wireless router was not documented before it stopped functioning. The equipment connecting to the wireless network uses older legacy equipment that was manufactured prior to the release of the 802.11i standard. Which of the following configuration options should the administrator select for the new wireless router?

  • A. WPA+CCMP
  • B. WPA2+CCMP
  • C. WPA+TKIP
  • D. WPA2+TKIP
Show Answer
Correct Answer:
B. WPA2+CCMP
Question 15

A security administrator is configuring a new network segment, which contains devices that will be accessed by external users, such as web and FTP server. Which of the following represents the MOST secure way to configure the new network segment?

  • A. The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic
  • B. The segment should be placed in the existing internal VLAN to allow internal traffic only
  • C. The segment should be placed on an intranet, and the firewall rules should be configured to allow external traffic
  • D. The segment should be placed on an extranet, and the firewall rules should be configured to allow both internal and external traffic
Show Answer
Correct Answer:
A. The segment should be placed on a separate VLAN, and the firewall rules should be configured to allow external traffic

Aced these? Get the Full Exam

Download the complete SY0-501 study bundle with 948+ questions in a single printable PDF.

Purchase Full Exam PDF | $10