Try 10 focused CompTIA Security+ SY0-701 questions on Threats and Mitigations, with explanations, then continue with IT Mastery.
Open the matching IT Mastery practice page for timed mocks, topic drills, progress tracking, explanations, and full practice.
Try CompTIA Security+ SY0-701 on Web View full CompTIA Security+ SY0-701 practice page
| Field | Detail |
|---|---|
| Exam route | CompTIA Security+ SY0-701 |
| Topic area | Threats, Vulnerabilities, and Mitigations |
| Blueprint weight | 22% |
| Page purpose | Focused sample questions before returning to mixed practice |
Use this page to isolate Threats, Vulnerabilities, and Mitigations for CompTIA Security+ SY0-701. Work through the 10 questions first, then review the explanations and return to mixed practice in IT Mastery.
| Pass | What to do | What to record |
|---|---|---|
| First attempt | Answer without checking the explanation first. | The fact, rule, calculation, or judgment point that controlled your answer. |
| Review | Read the explanation even when you were correct. | Why the best answer is stronger than the closest distractor. |
| Repair | Repeat only missed or uncertain items after a short break. | The pattern behind misses, not the answer letter. |
| Transfer | Return to mixed practice once the topic feels stable. | Whether the same skill holds up when the topic is no longer obvious. |
Blueprint context: 22% of the practice outline. A focused topic score can overstate readiness if you recognize the pattern too quickly, so use it as repair work before timed mixed sets.
These questions are original IT Mastery practice items aligned to this topic area. They are designed for self-assessment and are not official exam questions.
Topic: Threats, Vulnerabilities, and Mitigations
A company has experienced multiple malware infections on corporate laptops, even though traditional antivirus with current signatures is installed. Investigation shows that users are downloading unauthorized tools and that some infections came from drive‑by downloads that quickly changed behavior to evade signatures.
Security leadership wants additional technical controls on these endpoints that will:
The company does not want to redesign the network or move users to a new desktop platform.
Which of the following actions/controls will BEST meet these requirements? (Select TWO.)
Options:
A. Enable full‑disk encryption on all laptops to protect data at rest
B. Implement application allowlisting so that only approved business applications and scripts are permitted to execute on the laptops
C. Schedule weekly external vulnerability scans against the company’s internet perimeter
D. Expand phishing awareness training and simulated phishing campaigns for all employees
E. Deploy an endpoint detection and response (EDR) platform that monitors process behavior and can automatically isolate compromised endpoints
Correct answers: B and E
Explanation: This scenario focuses on mitigating malware that is evading traditional, signature‑based antivirus by changing behavior and by running as unauthorized software downloaded by users. The requirements call explicitly for endpoint technical controls that (1) prevent unapproved executables/scripts from running and (2) detect and automatically contain suspicious activity in near real time.
An EDR (endpoint detection and response) platform provides behavior‑based detection, telemetry, and automated response such as isolating a host or killing a malicious process. This goes beyond traditional AV signatures and directly addresses the requirement for rapid detection and containment of suspicious processes and lateral movement.
Application allowlisting (also called application control) enforces a policy where only explicitly approved applications and scripts are allowed to execute. Anything not on the approved list is blocked by default. This directly satisfies the requirement to prevent users from running unapproved executables and scripts, which is a common path for malware infection.
Other options like awareness training, full‑disk encryption, and external vulnerability scans are useful security practices, but they do not meet the specific technical requirements on endpoints described in the scenario. They address different risks (user behavior, data at rest, perimeter exposure) rather than the malware execution and real‑time containment problem on laptops.
This aligns with Domain 2 of Security+, where candidates must choose appropriate technical controls—such as EDR and application allowlisting—to mitigate malware threats in realistic environments.
Topic: Threats, Vulnerabilities, and Mitigations
A small company has a single perimeter firewall and a flat internal network. All employees can access a shared HR file server containing salary and performance records. Management is most concerned about a disgruntled employee stealing this data, rather than internet-based attackers. Which change would BEST address this concern while keeping the environment simple?
Options:
A. Restrict HR file server access using role-based permissions and enable detailed access logging for HR data.
B. Move the HR file server to a public cloud storage bucket with public-read disabled but no changes to access control.
C. Deploy a second internet firewall in high-availability mode to protect against external attacks.
D. Require all remote users to connect via VPN before accessing internal resources.
Best answer: A
Explanation: This scenario focuses on an internal threat actor: a disgruntled employee who already has network access and potentially legitimate credentials. Perimeter firewalls and VPNs are primarily aimed at external threats coming from the internet. To address insider risk, the organization must control who can access sensitive HR data and monitor that access.
Applying role-based permissions and least privilege ensures that only authorized HR staff can access salary and performance records. Enabling detailed access logging on the HR file server supports detection and investigation if an insider attempts misuse. These steps directly mitigate the impact of an internal threat actor without over-complicating the network architecture.
In contrast, adding more perimeter firewalls or moving to the cloud without changing access controls focuses on external attack surfaces or infrastructure location, which does not substantially reduce the risk from a malicious insider already inside the network boundary.
Topic: Threats, Vulnerabilities, and Mitigations
Which of the following statements about using network security controls to mitigate DoS, man-in-the-middle, and scanning attacks are TRUE? (Select TWO.)
Options:
A. Deploying an IDS/IPS at the network perimeter helps detect port scans and some volumetric DoS patterns before they affect internal systems.
B. Allowing all ICMP traffic through the perimeter firewall is recommended so IDS/IPS tools can better detect scanning activity.
C. Network segmentation with internal firewalls reduces the impact of scanning and DoS attacks by limiting the number of reachable targets in each segment.
D. Using only a web application firewall (WAF) is typically sufficient to detect ARP spoofing and other LAN-based man-in-the-middle attacks.
E. Encrypting all internal traffic with TLS at access switches prevents external attackers from launching DoS attacks against internal servers.
F. Disabling logging on perimeter firewalls is recommended to increase throughput and helps mitigate large-scale scanning attacks.
Correct answers: A and C
Explanation: This question focuses on how traditional network security controls—specifically IDS/IPS and segmentation with firewalls—help mitigate DoS, man-in-the-middle (MITM), and scanning attacks.
An IDS/IPS at or near the perimeter inspects inbound and outbound traffic for signatures, anomalies, and known malicious patterns. It can identify and sometimes block port scans and common DoS signatures before they reach internal hosts. Network segmentation with internal firewalls or ACLs limits which systems can talk to each other, reducing the number of systems exposed to scanning and constraining how much of the network a DoS or compromised host can affect.
In contrast, controls like TLS encryption or WAFs address different layers and threats (confidentiality/integrity of application traffic) and do not, by themselves, stop volumetric DoS, ARP spoofing, or broad network scanning. Similarly, disabling firewall logging or allowing all ICMP traffic increases risk and reduces visibility rather than mitigating attacks.
Topic: Threats, Vulnerabilities, and Mitigations
Which TWO of the following statements about phishing, spear phishing, and whaling are INCORRECT? (Select TWO.)
Options:
A. Generic phishing often involves large numbers of noncustomized messages with generic greetings sent to many recipients.
B. Because whaling attacks focus on executives, security awareness training for nonexecutive staff is not a primary defense against them.
C. Spear phishing uses information about a specific victim or small group (such as name, role, or recent activity) to make the message appear more credible.
D. Vishing and smishing are phishing variants that use voice calls and SMS/text messages instead of standard email.
E. Whaling refers to phishing campaigns that mainly target regular end users so that attackers can harvest as many credentials as possible.
F. In a typical whaling attack, messages are often customized and may reference executive responsibilities such as financial approvals or mergers and acquisitions.
Correct answers: B and E
Explanation: This question focuses on recognizing accurate characteristics of different phishing variants: generic phishing, spear phishing, and whaling, as well as vishing and smishing.
Generic phishing campaigns are broad and noncustomized, sent to many recipients with generic messages and lures. Spear phishing is more focused: the attacker researches a specific person or small group and tailors the message using personal or organizational details. Whaling is a subset of spear phishing that targets high-profile individuals such as executives, senior managers, or other “big fish” with access to sensitive decisions or funds.
Phishing can be delivered via different channels, including email, voice calls (vishing), and SMS/text messages (smishing). Effective defenses include technical controls (email filtering, URL rewriting, MFA) and, crucially, broad security awareness training for all staff, including and surrounding executives, because attackers may go through assistants, finance staff, or IT support to reach their ultimate targets.
Topic: Threats, Vulnerabilities, and Mitigations
Employees in several departments have started using unsanctioned cloud file‑sharing tools to collaborate with external partners, bypassing the company’s approved collaboration platform and identity provider. From a security perspective, which concept BEST explains why this shadow IT behavior significantly increases organizational risk?
Options:
A. Use of separation of duties by splitting responsibilities across internal and external systems
B. Application of least privilege by limiting IT administrators’ ability to view user data
C. Implementation of defense in depth by adding additional independent storage providers
D. Expanded attack surface caused by loss of centralized visibility and control over data and access
Best answer: D
Explanation: Shadow IT occurs when users adopt tools, especially cloud or SaaS services, without approval or integration into the organization’s security controls. When employees use unsanctioned file‑sharing or collaboration apps, security teams lose centralized visibility into where data is stored, who can access it, and how it is protected.
This directly expands the organization’s attack surface: there are more external accounts, services, and data repositories that attackers can target, but they are outside normal monitoring, logging, DLP, and identity and access management. Because these shadow services are not governed by corporate policies, data governance and access control break down. Sensitive files might be shared with personal accounts, weak passwords might be used, and MFA or SSO may not be enforced.
In the Security+ Domain 2 context, this scenario illustrates how shadow IT and unsanctioned SaaS usage increase risk by creating new, uncontrolled threat vectors and blind spots, not by improving layered security or applying core principles such as least privilege or separation of duties.
Topic: Threats, Vulnerabilities, and Mitigations
Which TWO statements correctly describe computer worms as a type of malware? (Select TWO.)
Options:
A. They require user interaction to execute because they are hidden inside legitimate-looking programs.
B. They can self-replicate and spread across networks without attaching to a host file.
C. They typically encrypt user data and demand payment for a decryption key.
D. They often consume network bandwidth and cause performance degradation as they propagate.
E. They record keystrokes to capture passwords and other sensitive data typed by the user.
Correct answers: B and D
Explanation: This question focuses on recognizing worms based on their observable behavior, which is a key skill in identifying common malware types. A worm is a self-contained piece of malware that can replicate itself and move across systems and networks without needing to infect a host file. Its replication and scanning activity can significantly impact network performance, even if it does not directly corrupt data.
By contrast, ransomware is identified by encrypting data and demanding payment, Trojans by disguising themselves as legitimate programs and relying on user execution, and keyloggers by silently capturing keystrokes. Being able to separate these behaviors helps analysts quickly narrow down what kind of malware they are dealing with when they see symptoms such as heavy network traffic, encrypted files, or credential theft.
Topic: Threats, Vulnerabilities, and Mitigations
Which of the following statements about common password attacks is MOST accurate? (Select TWO.)
Options:
A. Credential stuffing typically uses username/password pairs harvested from other breaches and tests them against many accounts on a different site.
B. Password spraying and credential stuffing are the same attack, just two names for identical behavior.
C. Password spraying tries a small number of common passwords across many different accounts to avoid lockouts.
D. Dictionary attacks always require access to hashed password databases and cannot be performed against live login forms.
E. Online brute-force attacks usually generate very little authentication log noise because they use a single carefully chosen password per account.
Correct answers: A and C
Explanation: This question focuses on recognizing how different password attacks behave conceptually and in logs. Brute force and dictionary attacks typically involve many guesses against a single account, whereas password spraying spreads a small set of common passwords across many accounts. Credential stuffing reuses real username/password pairs stolen from previous breaches on other sites, relying on password reuse. Understanding these patterns helps analysts interpret authentication logs and identify which attack is likely occurring.
Credential stuffing and password spraying are especially common against web and cloud logins today because they attempt to bypass account lockout and weak monitoring by staying just under typical alert thresholds.
Topic: Threats, Vulnerabilities, and Mitigations
A hospital’s security team must assess its production electronic health record (EHR) system every quarter. Requirements from leadership specify that the testing must be largely automated, avoid actively exploiting findings, and minimize any chance of service disruption. Which type of security assessment should the team perform?
Options:
A. Covert red-team exercise focused on breaching patient data
B. Recurring authenticated vulnerability scans against the EHR systems
C. Full-scope external penetration test targeting the EHR environment
D. Public bug bounty program inviting anyone to test the EHR
Best answer: B
Explanation: This scenario centers on differentiating vulnerability scanning from penetration testing by focusing on level of intrusiveness and automation. The hospital wants quarterly assessments on a critical production system with three key requirements: the work should be largely automated, must not actively exploit vulnerabilities, and must minimize risk of disrupting the EHR.
Vulnerability scanning is designed for exactly this kind of use case. Scanners automatically probe systems for known weaknesses (missing patches, misconfigurations, weak protocols) and report them without attempting to exploit them. Because they are mostly automated and designed to be low impact, they are commonly scheduled to run regularly against production systems.
Penetration tests, red-team exercises, and bug bounties are all more intrusive, manual, and potentially disruptive. They involve human testers (or uncontrolled external participants) actively trying to exploit vulnerabilities and achieve real compromise, which conflicts with the hospital’s requirement to avoid exploitation and reduce outage risk.
Topic: Threats, Vulnerabilities, and Mitigations
Which security control is specifically designed to monitor endpoint behavior in real time and automatically detect and contain malware, including fileless attacks, on workstations and servers?
Options:
A. Traditional network firewall
B. Remote-access VPN
C. Endpoint detection and response (EDR)
D. Full-disk encryption
Best answer: C
Explanation: This question targets Domain 2 (Threats, vulnerabilities, and mitigations) and focuses on selecting the most appropriate technical control to detect and contain malware on endpoints.
Endpoint detection and response (EDR) tools are designed to gather detailed telemetry from endpoints (such as process creation, memory use, file access, and network connections), analyze that behavior, and identify patterns consistent with malware, including fileless attacks that may never drop a traditional executable to disk. EDR can alert analysts and, in many deployments, automatically isolate or remediate compromised endpoints.
By contrast, controls like full-disk encryption, traditional firewalls, and VPNs provide important protection for data at rest or in transit, or for network boundaries, but they do not focus on real-time behavioral monitoring and response on the endpoint itself, which is what the question is asking for.
Topic: Threats, Vulnerabilities, and Mitigations
A company’s public e-commerce site suddenly becomes almost unreachable. Monitoring shows inbound HTTPS requests spike from about 50 per second to over 50,000 per second, coming simultaneously from thousands of different source IP addresses worldwide. No recent configuration changes were made. Which type of attack is MOST likely occurring?
Options:
A. Single-source denial-of-service attack
B. Man-in-the-middle attack
C. Distributed denial-of-service attack
D. Replay attack
Best answer: C
Explanation: The key indicators in this scenario are a sudden, extreme spike in inbound HTTPS requests and the fact that these requests originate from thousands of different source IP addresses around the world. The symptom is loss of availability: the e-commerce site becomes almost unreachable.
This pattern is typical of a distributed denial-of-service (DDoS) attack. In a DDoS, an attacker uses many compromised systems (often a botnet) to flood a target with traffic, exhausting network bandwidth, CPU, or other resources so legitimate users cannot access the service.
No configuration changes and purely volume-based symptoms point away from misconfiguration and toward an external volume-based attack. The distributed nature of the sources (many IPs) is the crucial clue that distinguishes DDoS from a single-source DoS.
Recognizing traffic patterns—high volume, many sources, sudden onset—is a core part of identifying common network-based attacks for Security+ Domain 2 (Threats, vulnerabilities, and mitigations).
Use the CompTIA Security+ SY0-701 Practice Test page for the full IT Mastery route, mixed-topic practice, timed mock exams, explanations, and web/mobile app access.
Try CompTIA Security+ SY0-701 on Web View CompTIA Security+ SY0-701 Practice Test
Read the CompTIA Security+ SY0-701 Cheat Sheet on Tech Exam Lexicon, then return to IT Mastery for timed practice.