CompTIA Security+ Certification in a Nutshell
CompTIA Security+ is a globally recognized certification that validates the foundational skills and knowledge needed to perform core security functions. The Security+ is vendor-neutral and not role-specific, so it fits well in a range of organizations, regardless of which technologies they use. With this foundation in place, many CompTIA Security+ certified professionals go on to take popular vendor-specific exams, such as those for VMWare, Cisco or Microsoft.
CompTIA generally releases a new Security+ exam every three years. The current version of the exam, SY0-501, was launched on October ?4, 2017. That marked the retirement of the previous version, SY0-401, which was released in May 2014. Changes to the CompTIA exam objectives include removal of the Network Security segment, but the test still covers installing and configuring network components, implementing a secure network architecture, and other network security-related topics.
Earning the CompTIA credential involves considerable preparation. The six CompTIA Security+ sy0-501 exam objectives (domains) are:
- Threats, Attacks, and Vulnerabilities
- Technologies and Tools
- Architecture and Design
- Identity and Access Management
- Risk Management
- Cryptography and PKI
Key skills measured by the exam include identifying security threats, choosing appropriate cyber risk management techniques, and identifying and analyzing common attacks (such as social engineering, malware, and application & wireless attacks).
To get Comptia Security+ certification sy0-501, you don’t need to complete any prerequisite courses. Nevertheless, CompTIA recommends at least two years of experience in IT administration, focused on security. It’s also smart to take sy0-501 practice tests and review relevant interviews, resources and video deep-dives.
Exam sy0-501 Free Practice Test
To help you assess your readiness, we’ve developed a free Security+ practice test. This sy0-501 practice quiz exam is a simulated version of the CompTIA Security+ Exam conducted by CompTIA. You can test your knowledge of all exam topics using this Security+ quiz.
Ready to take the 30-question challenge?
The CompTIA Security+ practice questions presented here are meant to be used after you read the Study Guide for the CompTIA Security+ Certification Exam. If you are unable to answer at least 70% of the questions, go back to the study guide and review the material for the questions that you missed.
Domain 1
Quiz-summary
0 of 5 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
Information
Threats, Attacks and Vulnerabilities
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 5 questions answered correctly
Time has elapsed
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- Answered
- Review
-
Question 1 of 5
1. Question
You are investigating malware on a laptop computer. The malware is exhibiting the following characteristics:
• It is blocking access to some user data.
• It has encrypted some user data.
• A stranger is demanding compensation to give you access to the data.
Which type of malware is on the laptop computer?CorrectExplanation: Based on demand for payment, you can be certain that this is some type of ransomware. Because it has encrypted some of the data, the malware is called crypto-malware.
IncorrectExplanation: Based on demand for payment, you can be certain that this is some type of ransomware. Because it has encrypted some of the data, the malware is called crypto-malware.
-
Question 2 of 5
2. Question
An executive assistant reports a suspicious phone call to you. You ask him to describe the calls in more detail and he provides the following information:
• The caller claims to be a member of the IT department.
• The caller claims that the executive assistant’s computer has a virus.
• The caller requests access to the executive assistant’s computer to remove the virus.
• The caller asks for immediate access due to the vicious nature of the virus.
The executive assistant thought the call was suspicious because it came from outside of the company and he had never heard of the person before. Which type of attack occurred and which technique did the attacker use to try to gain access to the computer?CorrectExplanation: When a phishing attack occurs by telephone, it is called a vishing attack. When an attacker tries to persuade the victim with urgency, the goal is to alarm the victim or scare the victim into quick action (such as giving the person access to the computer). In this scenario, the attacker made the virus sound vicious in hopes that the executive assistant would quickly grant access to his machine.
IncorrectExplanation: When a phishing attack occurs by telephone, it is called a vishing attack. When an attacker tries to persuade the victim with urgency, the goal is to alarm the victim or scare the victim into quick action (such as giving the person access to the computer). In this scenario, the attacker made the virus sound vicious in hopes that the executive assistant would quickly grant access to his machine.
-
Question 3 of 5
3. Question
One of your customers recently reported that their corporate website was attacked. As part of the attack, the website was defaced and a message supporting a political party was added. Which of the following threat actors is likely responsible?
CorrectExplanation: Because the website was defaced with a political message, a hacktivist is likely responsible for the attack.
IncorrectExplanation: Because the website was defaced with a political message, a hacktivist is likely responsible for the attack.
-
Question 4 of 5
4. Question
Your company plans to have a third-party company perform penetration testing on their IT environment. The company has established the following guidelines for the testing:
• The third-party company will not be given any information about the IT environment.
• The third-party company will not be given access to the IT environment.
Which type of penetration testing should you request?CorrectExplanation: With black box testing, the third-party company has to rely on public sources of information and public-facing resources to get started.
IncorrectExplanation: With black box testing, the third-party company has to rely on public sources of information and public-facing resources to get started.
-
Question 5 of 5
5. Question
A customer has requested that you test their user password strength. The customer provides you a secure, air-gapped computer and the password hashes. You need to try to crack the passwords using the hashes. Speed is the most important factor because the customer is contemplating an enterprise-wide password reset. Which of the following technologies should you use in your attack?
CorrectExplanation: Of the available choices, rainbow tables provide the fastest effective attack method for password hashes. Because the tables are pre-computed, they provide excellent performance, especially for password hash attacks.
IncorrectExplanation: Of the available choices, rainbow tables provide the fastest effective attack method for password hashes. Because the tables are pre-computed, they provide excellent performance, especially for password hash attacks.
Domain 2
Quiz-summary
0 of 5 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
Information
Technologies and Tools
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 5 questions answered correctly
Time has elapsed
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- Answered
- Review
-
Question 1 of 5
1. Question
You are preparing to implement two web servers, both of which will serve the same website and content. The website has a single page, which simply displays the air temperature inside the company’s datacenter. You opt to deploy a load balancer so that both servers are active. You need to implement the simplest load balancing scheduling algorithm for this scenario. Which scheduling algorithm should you implement?
CorrectExplanation: In this scenario, only affinity and round-robin are valid choices for the scheduling algorithm. For simple load balancing scenarios, you should use round-robin — it is simple to deploy and maintain. Affinity is useful when you need users to communicate with a single web server (such as during an online purchase).
IncorrectExplanation: In this scenario, only affinity and round-robin are valid choices for the scheduling algorithm. For simple load balancing scenarios, you should use round-robin — it is simple to deploy and maintain. Affinity is useful when you need users to communicate with a single web server (such as during an online purchase).
-
Question 2 of 5
2. Question
You are troubleshooting communication between a client and a server. The server has a web application running on port 80. The client is unable to connect to the web application. You validate that the client has network connectivity to the server by successfully pinging the server from the client. You check the server and notice that the web server service is running. Now, you need to validate the port that the web application is listening on. Which of the following tools should you use?
CorrectExplanation: In this scenario, you need to look at the listening ports on the server. You should use the Netstat tool to list all the listening ports. Optionally, you can look at the web server configuration to look for the configured port, but this is not one of the answers listed.
IncorrectExplanation: In this scenario, you need to look at the listening ports on the server. You should use the Netstat tool to list all the listening ports. Optionally, you can look at the web server configuration to look for the configured port, but this is not one of the answers listed.
-
Question 3 of 5
3. Question
A customer is preparing to deploy a new web application that will primarily be used by the public over the internet. The web application will use HTTPS to secure the user connections. You are called to review the configuration of the environment. You discover the following items:
• The customer’s internal PKI issued the certificate for the web application.
• The certificate used for the web application is a wildcard certificate.
Based on your findings, which of the following outcomes is most likely to occur for public users?CorrectExplanation: The certificate will be reported as untrusted because the internal PKI issued the certificate, but the web application is used by the public over the internet and the public doesn’t trust your internal PKI. While there are scenarios in which an internal PKI is trusted for public use, that isn’t specified in this scenario. The wildcard certificate, while not recommended for this scenario, will not cause any of the issues listed.
IncorrectExplanation: The certificate will be reported as untrusted because the internal PKI issued the certificate, but the web application is used by the public over the internet and the public doesn’t trust your internal PKI. While there are scenarios in which an internal PKI is trusted for public use, that isn’t specified in this scenario. The wildcard certificate, while not recommended for this scenario, will not cause any of the issues listed.
-
Question 4 of 5
4. Question
You are configuring a mobile device management solution to be used for your company’s mobile devices. The management team has a single immediate requirement: prevent users from bypassing the Apple or Android app store to install apps. What should you do?
CorrectExplanation: Sideloading is the act of installing apps outside of the app stores. Many organizations prefer to block sideloading because of the high risk of malware in apps outside of an official app store.
IncorrectExplanation: Sideloading is the act of installing apps outside of the app stores. Many organizations prefer to block sideloading because of the high risk of malware in apps outside of an official app store.
-
Question 5 of 5
5. Question
You are implementing a secure file sharing solution at your organization. The solution will enable users to share files with other users. The management team issues a key requirement — the file sharing must occur over SSH. Which protocol should you implement?
CorrectExplanation: SFTP uses SSH for file transfer. FTPS is a file-transfer protocol but it uses FTP rather than SSH. The other two protocols are not designed for file sharing: S/MIME is used for email communication, and SRTP is used to secure communications over a telephony or communications-based network.
IncorrectExplanation: SFTP uses SSH for file transfer. FTPS is a file-transfer protocol but it uses FTP rather than SSH. The other two protocols are not designed for file sharing: S/MIME is used for email communication, and SRTP is used to secure communications over a telephony or communications-based network.
Domain 3
Quiz-summary
0 of 5 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
Information
Architecture and Design
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 5 questions answered correctly
Time has elapsed
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- Answered
- Review
-
Question 1 of 5
1. Question
You are implementing a software distribution server farm. The server farm has one primary purpose — to deliver your company’s installer files to customers or potential customers via trial installers. The software distribution will be available over the internet to anyone. The company has established the following requirements:
• The software distribution implementation must not provide access to the company’s internal resources.
• The software distribution implementation must maximize security.
You need to implement the server farm using a technology or zone to meet the requirements. What should you do?CorrectIn this scenario, you need any internet user to be able to get to your software distribution system. The DMZ provides for this. The second requirement is to maximize security. As a segmented network at the edge of your network, the DMZ satisfies this requirement as well. While an air-gapped computer or network would also maximize security, users would not be able to get to the software distribution system. An extranet is like a DMZ, but it used for vendors, partners and suppliers, not the general population.
IncorrectIn this scenario, you need any internet user to be able to get to your software distribution system. The DMZ provides for this. The second requirement is to maximize security. As a segmented network at the edge of your network, the DMZ satisfies this requirement as well. While an air-gapped computer or network would also maximize security, users would not be able to get to the software distribution system. An extranet is like a DMZ, but it used for vendors, partners and suppliers, not the general population.
-
Question 2 of 5
2. Question
You are deploying a forward proxy. The proxy will cache intranet and internet content to speed up web requests from users. You want to maintain a simple configuration and maximize security. You need to decide which network zone to use for the proxy servers. Which zone should you choose?
CorrectExplanation: The proxy will cache content on the intranet and on the internet. If it is deployed in the intranet, it will have easy access to both. If it were deployed outside of the intranet, then permitting communication to the intranet from the DMZ (or elsewhere) might open attack vectors and result in a complex configuration.
IncorrectExplanation: The proxy will cache content on the intranet and on the internet. If it is deployed in the intranet, it will have easy access to both. If it were deployed outside of the intranet, then permitting communication to the intranet from the DMZ (or elsewhere) might open attack vectors and result in a complex configuration.
-
Question 3 of 5
3. Question
You are ordering servers for a customer that needs high security. You plan to use encrypted hard drives and a secure boot process with all the servers. You opt to use a hardware chip on the motherboard to facilitate the use of encrypted hard drives and the secure boot process. Which of the following components should you order for each server?
CorrectExplanation: A TPM is a hardware chip on a motherboard that enables cryptographic operations for tasks such as secure boot and disk encryption. An HSM provides encryption keys to other services, such as a PKI or a web-based service.
IncorrectExplanation: A TPM is a hardware chip on a motherboard that enables cryptographic operations for tasks such as secure boot and disk encryption. An HSM provides encryption keys to other services, such as a PKI or a web-based service.
-
Question 4 of 5
4. Question
You were recently hired by a small company that is beginning to develop software internally and wants to ensure that its IT environments supports a secure development lifecycle. The company asks you to propose a list of the environments required to support their development efforts, along with the order in which they should use the environments for software releases. Which of the following options should you recommend?
CorrectExplanation: A development environment is the place to develop code. Then, you deploy the code to a test environment that resembles your production environment. Next, you deploy it to a staging environment that resembles your production environment as closely as possible. Last, you deploy it to your production environment.
IncorrectExplanation: A development environment is the place to develop code. Then, you deploy the code to a test environment that resembles your production environment. Next, you deploy it to a staging environment that resembles your production environment as closely as possible. Last, you deploy it to your production environment.
-
Question 5 of 5
5. Question
You have a new web application that collects data from users — users fill out a form and submit it. You store the data in a database. After a few months, you review the data and discover that some information is not stored in a consistent manner. For example, some phone numbers are stored with dashes (213-555-4321), some are stored with periods (213.555.4321), and some are stored with other methods, such as (213)555-4321. Other data, such as the name of the city, is inconsistent. For example, some users used “San Francisco”, some used “San Fran”, some used “SF”, and others used “SFO”. You need to figure out a way to ensure consistent data. Which two of the following methods can you use? (Choose two answers.)
CorrectExplanation: You can use input validation to ensure that data is entered in a specific format. For example, you could require users to choose a city name from a drop-down menu and enter phone numbers without dashes. Alternatively, you can use normalization to fix the data after
IncorrectExplanation: You can use input validation to ensure that data is entered in a specific format. For example, you could require users to choose a city name from a drop-down menu and enter phone numbers without dashes. Alternatively, you can use normalization to fix the data after
Domain 4
Quiz-summary
0 of 5 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
Information
Identity and Access Management
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 5 questions answered correctly
Time has elapsed
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- Answered
- Review
-
Question 1 of 5
1. Question
You are integrating your on-premises identify provider (IdP) with a cloud-based service. The cloud-based service offers federated authentication. Which two of the following protocols could you use for the integration? (Choose two.)
CorrectExplanation: SAML is one option for federating with a cloud-based service; it has been around for a long time and is widely supported. OpenID Connect is another option; it is newer than SAML and gaining momentum in the industry. LDAP and Kerberos are protocols used for on-premises authentication and directory integration; they are not suitable for internet-based authentication.
IncorrectExplanation: SAML is one option for federating with a cloud-based service; it has been around for a long time and is widely supported. OpenID Connect is another option; it is newer than SAML and gaining momentum in the industry. LDAP and Kerberos are protocols used for on-premises authentication and directory integration; they are not suitable for internet-based authentication.
-
Question 2 of 5
2. Question
You are troubleshooting a user authentication issue. The user reports that they are trying to connect to a cloud-based portal. The portal prompts them for a second factor of authentication. The company uses TOTPs for multi-factor authentication. However, the user reports that when they enter their TOTP, it isn’t accepted. Which of the following reasons could be the cause?
CorrectExplanation: In this scenario, the one-time password is expired. The user might not be entering it fast enough or is entering it too late. Because the user is getting prompted for the multi-factor authentication, the initial authentication (via SSO or manual auth) is functional.
IncorrectExplanation: In this scenario, the one-time password is expired. The user might not be entering it fast enough or is entering it too late. Because the user is getting prompted for the multi-factor authentication, the initial authentication (via SSO or manual auth) is functional.
-
Question 3 of 5
3. Question
You are updating the user account configuration for your company. You need to ensure that a user will be prevented from logging on if 10 bad password attempts are tried on their user account, even if the 11th attempt is the valid password. Which of the following technologies should you implement?
CorrectExplanation: Account lockout prevents the use of an account after a specified number of bad password attempts. An account must be unlocked before it can be used again. Some organizations automatic unlock the account after a specific period of time.
IncorrectExplanation: Account lockout prevents the use of an account after a specified number of bad password attempts. An account must be unlocked before it can be used again. Some organizations automatic unlock the account after a specific period of time.
-
Question 4 of 5
4. Question
An app team is integrating their app with your on-premises directory service. The app requires a user account that will be used to look up objects in the directory and run automated tasks. A company security policy requires the use of the principle of least privilege. Which type of account should you choose?
CorrectExplanation: A service account is an account that runs as a service (often in the background), runs jobs (such as scheduled tasks) and performs other non-human functions, so it meets the needs for the app team. A shared account is shared amongst multiple users. A guest account is a temporary account which often has limited or no access. A privileged account is used by IT administrators but often provides too much access to use as a service account (because it wouldn’t follow the principle of least privilege).
IncorrectExplanation: A service account is an account that runs as a service (often in the background), runs jobs (such as scheduled tasks) and performs other non-human functions, so it meets the needs for the app team. A shared account is shared amongst multiple users. A guest account is a temporary account which often has limited or no access. A privileged account is used by IT administrators but often provides too much access to use as a service account (because it wouldn’t follow the principle of least privilege).
-
Question 5 of 5
5. Question
Your company is planning to switch to certificate-based authentication for its client computers. The client computers are company-owned and run Windows 10. You need to implement a technology for certificate-based authentication that is suitable for this scenario. Which technology should you implement?
CorrectExplanation: Of the answer choices listed, only one is a certificate-based authentication solution suitable for client computers and general-purpose computing. Smart cards are compatible with client computers and user authentication and meet the requirements of this scenario.
IncorrectExplanation: Of the answer choices listed, only one is a certificate-based authentication solution suitable for client computers and general-purpose computing. Smart cards are compatible with client computers and user authentication and meet the requirements of this scenario.
Domain 5
Quiz-summary
0 of 5 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
Information
Risk Management
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 5 questions answered correctly
Time has elapsed
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- Answered
- Review
-
Question 1 of 5
1. Question
Your company is reviewing backups of key data. It finds that some data has not been backed up. However, an existing company policy requires that all data be backed up. You need to have the data backed up. Which of the following people should handle the backup?
CorrectExplanation: The data custodian is responsible for the day-to-day operations of managing data, including backups. In this scenario, the data custodian should back up the data, while the data owner should dictate requirements for the data.
IncorrectExplanation: The data custodian is responsible for the day-to-day operations of managing data, including backups. In this scenario, the data custodian should back up the data, while the data owner should dictate requirements for the data.
-
Question 2 of 5
2. Question
Your company has a control in place for shared user accounts: Such accounts can only be used to log onto training computers. However, your directory service has a limitation that only 32 computers can be added to the control. Recently, the training lab received additional computers and now has 100 computers. You need to use a different type of control for the shared user accounts. Which type of control should you use?
CorrectExplanation: A compensating control is an alternative control that you use when a primary control isn’t feasible (such as when prohibitively expensive or technically impossible). In this scenario, the primary control is no longer viable, and a compensating control is needed.
IncorrectExplanation: A compensating control is an alternative control that you use when a primary control isn’t feasible (such as when prohibitively expensive or technically impossible). In this scenario, the primary control is no longer viable, and a compensating control is needed.
-
Question 3 of 5
3. Question
You are preparing to perform a risk assessment for a customer. The customer has issued the following requirements for the assessment:
• The assessment must be objective.
• The assessment must report on the financial costs and/or implications of each risk.
Which risk assessment approach should you use?CorrectExplanation: In this scenario, you need an objective (instead of a subjective) analysis. The quantitative approach is objective, looking at numbers and costs. A qualitative approach is subjective, less precise, and open to judgment. SLE and ALE are not risk assessment approaches.
IncorrectExplanation: In this scenario, you need an objective (instead of a subjective) analysis. The quantitative approach is objective, looking at numbers and costs. A qualitative approach is subjective, less precise, and open to judgment. SLE and ALE are not risk assessment approaches.
-
Question 4 of 5
4. Question
You are helping your organization with its business continuity and disaster recovery project. The company recently decided that the maximum data loss allowed is 4 hours. You are drafting up the documentation for the project. How should you document the maximum data loss?
CorrectExplanation: The RPO represents the maximum data loss allowed, based on time. The RTO is the maximum amount of time allowed to recover down systems.
IncorrectExplanation: The RPO represents the maximum data loss allowed, based on time. The RTO is the maximum amount of time allowed to recover down systems.
-
Question 5 of 5
5. Question
Your company is undertaking a project to strengthen the privacy of its data. The management team has identified the first task: Find systems that contain private information. Which of the following actions should you do to complete the first task?
CorrectExplanation: A privacy threshold assessment is specifically designed to find systems that contain private information. After a threshold assessment, it is common to go through a privacy impact assessment.
IncorrectExplanation: A privacy threshold assessment is specifically designed to find systems that contain private information. After a threshold assessment, it is common to go through a privacy impact assessment.
Domain 6
Quiz-summary
0 of 5 questions completed
Questions:
- 1
- 2
- 3
- 4
- 5
Information
Cryptography and PKI
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 5 questions answered correctly
Time has elapsed
Categories
- Not categorized 0%
- 1
- 2
- 3
- 4
- 5
- Answered
- Review
-
Question 1 of 5
1. Question
You are evaluating cryptographic algorithms for a customer. The customer has a specific requirement for encryption that uses shared secrets. You need to recommend an encryption algorithm to meet the requirement. Which algorithm should you recommend?
CorrectExplanation: A symmetric key algorithm requires a shared secret. Each communicating party has the shared secret, which enables encryption and decryption. The other algorithms do not use a shared key.
IncorrectExplanation: A symmetric key algorithm requires a shared secret. Each communicating party has the shared secret, which enables encryption and decryption. The other algorithms do not use a shared key.
-
Question 2 of 5
2. Question
Your company is preparing to deploy a new two-tier public key infrastructure (PKI). The security team requires that the implementation have an offline root certification authority (CA). You need to deploy other servers to ensure that certificates can be deployed to clients. Which type of server should you deploy?
CorrectExplanation: In this scenario, you are deploying a two-tier hierarchy. The root CA represents one tier. The other tier must be intermediate CAs or subordinate CAs. In a two-tier hierarchy, the intermediate or subordinate CAs will take on all the PKI online tasks, such as issuing certificates.
IncorrectExplanation: In this scenario, you are deploying a two-tier hierarchy. The root CA represents one tier. The other tier must be intermediate CAs or subordinate CAs. In a two-tier hierarchy, the intermediate or subordinate CAs will take on all the PKI online tasks, such as issuing certificates.
-
Question 3 of 5
3. Question
You are deploying a guest wireless network for a restaurant. The restaurant’s legal department requires that restaurant guests agree to the restaurant’s wireless terms and conditions before being allowed to use the network. What should you do?
CorrectExplanation: A captive portal enables you to display terms and conditions, rules and other information and require guests to click “I agree” before being allowed on the network.
IncorrectExplanation: A captive portal enables you to display terms and conditions, rules and other information and require guests to click “I agree” before being allowed on the network.
-
Question 4 of 5
4. Question
You are helping your company improve the security of a password database. Presently, the database contains password hashes as computed from the original password. The company wants to improve the way password hashes are stored in the database. Specifically, the company wants to make it harder to crack the password hashes if the password database is compromised. What should you do?
CorrectExplanation: The company is presently storing password hashes computed from the password, which can easily be cracked if the password database is compromised. A salt adds random data to the front of the password prior to hashing, which greatly improves the security of the password database and makes stolen password hashes harder to crack.
IncorrectExplanation: The company is presently storing password hashes computed from the password, which can easily be cracked if the password database is compromised. A salt adds random data to the front of the password prior to hashing, which greatly improves the security of the password database and makes stolen password hashes harder to crack.
-
Question 5 of 5
5. Question
You are implementing security into your organization’s email system. The goal is to provide a way that recipients can, with certainty, validate that the sender sent the message and that the message was not modified in transit. Which of the following items should senders add to their email messages to ensure recipients can validate the sender?
CorrectExplanation: A digital signature validates the identity of the sender and confirms that the email message wasn’t modified in transit.
IncorrectExplanation: A digital signature validates the identity of the sender and confirms that the email message wasn’t modified in transit.
Conclusion
We hope our free exam practice questions have helped you on your way toward getting your CompTIA Security+ certification. Feel free to share your feedback and suggestions in the comments section below. Best wishes on the exam!
Interesting in acquiring more infosec credits? Learn more about CISSP and other security certifications.