CompTIA Security+ (SY0-701) · Difficulty

Hard SY0-701 practice questions

Challenge — multi-step scenarios, trade-offs, and subtle distinctions. 13 hard questions available — no sign-up, always free.

Question 1 of 13

A security analyst is reviewing vulnerability scan results for the company's environment. Two findings must be prioritized for remediation: Finding 1 has a CVSS base score of 9.8 but affects an isolated internal test server with no network access to production. Finding 2 has a CVSS base score of 7.5 and affects a customer-facing web server that processes payment data. Company risk tolerance is low, and PCI DSS compliance is required. Which finding should the analyst remediate first, and why?

Reviewed for accuracy · Report an issue
Question 2 of 13

A multinational financial services company is expanding operations into the European Union and must comply with GDPR requirements for customer data. The company currently stores all customer records in a centralized database hosted in their US-based data center. Which approach BEST addresses data sovereignty concerns while maintaining operational efficiency?

Reviewed for accuracy · Report an issue
Question 3 of 13

A retail organization is redesigning its point-of-sale system to reduce the scope of PCI DSS compliance. The security team needs to protect credit card numbers while still allowing the system to reference transactions for returns and customer service inquiries. The solution must ensure that if the database is compromised, actual card numbers cannot be retrieved. Which data protection method best meets these requirements?

Reviewed for accuracy · Report an issue
Question 4 of 13

A healthcare organization stores nightly database backups on tape media that are transported by a third-party courier to an offsite facility 50 miles away. The security team is concerned about protecting patient health information during transit. Which cryptographic solution should be implemented to protect the confidentiality of the data if the tapes are lost or stolen during transport?

Reviewed for accuracy · Report an issue
Question 5 of 13

A financial services company is migrating customer credit card data to a cloud storage solution. Regulatory requirements mandate that cardholder data must be protected from unauthorized access even if storage media is physically compromised. The security team needs to select the most appropriate data protection method that addresses this specific compliance requirement while maintaining the ability to process transactions.

Reviewed for accuracy · Report an issue
Question 6 of 13

A retail company processes thousands of credit card transactions daily. Compliance auditors require that primary account numbers (PANs) not be stored in the company's databases or analytics systems, yet the marketing team still needs a consistent value to link repeat purchases from the same card without ever seeing the real card number. Which data protection method best satisfies both requirements?

Reviewed for accuracy · Report an issue
Question 7 of 13

A financial services company is building a new analytics platform in a non-production environment. Developers need realistic customer records that preserve referential integrity across tables (so the same customer account number consistently links related records), but the actual account numbers must never be exposed. The company also wants the ability to reverse the process in a secured production system to retrieve original values when required for reconciliation. Which data protection method BEST meets these requirements?

Reviewed for accuracy · Report an issue
Question 8 of 13

A security administrator configures firewall rules to block inbound traffic on port 23 (Telnet) and enforce SSH connections on port 22 instead. The administrator then creates a policy document requiring all remote access to use encrypted protocols. Which combination of control category and type best describes these actions?

Reviewed for accuracy · Report an issue
Question 9 of 13

A security analyst completes a vulnerability scan and identifies multiple vulnerabilities across the organization's web servers. The scan reveals CVE-2023-1234 with a CVSS score of 9.8 (critical) affecting a development server, CVE-2023-5678 with a CVSS score of 7.5 (high) affecting a production server, CVE-2023-9012 with a CVSS score of 8.1 (high) affecting a test environment server, and CVE-2023-3456 with a CVSS score of 6.5 (medium) affecting a production server. Which vulnerability should be prioritized for immediate remediation?

Reviewed for accuracy · Report an issue
Question 10 of 13

A security analyst receives a vulnerability scan report showing multiple findings across the organization's web servers. One vulnerability has a CVSS score of 9.8 with active exploits in the wild, but affects a development server with no external access. Another has a CVSS score of 6.5 with no known exploits, but affects the public-facing production web server processing customer transactions. Which factor should the analyst prioritize when determining remediation order?

Reviewed for accuracy · Report an issue
Question 11 of 13

A security analyst receives a vulnerability scan report indicating that a web server is running an outdated version of Apache with a critical remote code execution vulnerability (CVE-2021-41773). Upon investigation, the analyst confirms that the server is running Apache 2.4.51, but the organization applied a vendor-supplied security patch that specifically addresses this CVE without upgrading the version number. What should the analyst classify this finding as during the analysis phase?

Reviewed for accuracy · Report an issue
Question 12 of 13

A security analyst has completed a vulnerability scan of the organization's web servers and identified 247 vulnerabilities. The scan results show vulnerabilities with CVSS scores ranging from 2.1 to 9.8. Management has requested that critical issues be addressed first, but the team has limited resources. Which approach should the analyst use to prioritize remediation efforts?

Reviewed for accuracy · Report an issue
Question 13 of 13

A security analyst receives a critical alert from a vulnerability scanner indicating that a web server is running an outdated version of Apache with a known remote code execution vulnerability (CVE-2021-41773). The analyst verifies that the server is running Apache 2.4.51, but further investigation reveals that the specific vulnerable module (mod_cgi) has been disabled and the URI path normalization feature has been patched through a vendor-specific security update. What should the analyst's next action be?

Reviewed for accuracy · Report an issue