50 security+ practice test Practice Questions: Question Bank 2025

A security analyst needs to ensure that an employee can access only the HR file share and nothing else. Which access control principle best supports this requirement?

A systems administrator wants to reduce the risk of password spraying against cloud-based email accounts. Which control is the BEST first step to implement?

A company wants to ensure all laptops are configured with the same secure settings (e.g., firewall enabled, screen lock timeouts, and approved encryption). Which solution BEST provides centralized enforcement of these settings?

Which document would MOST likely define how long an organization must retain security logs to meet regulatory and business requirements?

After enabling a new DNS filtering service, users report they cannot access a partner’s web application. The security team confirms the domain is being blocked due to a false positive categorization. What is the BEST next step?

A company is redesigning its network to limit lateral movement between user workstations and critical servers. Which architecture change BEST supports this goal?

During a review, a security analyst finds that developers are using long-lived access keys embedded in application code to access cloud storage. Which remediation is BEST?

A security manager needs to ensure a critical business process can be restored within four hours after an outage and that no more than 15 minutes of data is lost. Which pair of metrics is being described?

A SOC receives an alert that a workstation is repeatedly attempting to authenticate to many internal hosts using a valid employee username at a high rate. EDR shows the process initiating connections is a script interpreter running from the user's temporary directory. Which action is BEST to take FIRST?

A company must allow third-party vendors to access a specific internal application. The security team wants to avoid placing the application directly on the internet and wants to continuously validate access based on user identity, device posture, and context. Which solution BEST meets these requirements?

A department wants to quickly reduce the risk of users installing unauthorized browser extensions on company laptops. Which action is the BEST first step?

A security analyst needs to ensure authentication logs can be correlated across servers and network devices during an incident investigation. Which requirement is MOST important to implement?

A company is creating a data classification policy. Which of the following is the BEST example of "Confidential" data?

A cloud administrator wants to prevent publicly exposed storage objects. Which configuration is the BEST control to reduce accidental data exposure?

A SOC receives alerts that an internal host is making DNS requests for randomized subdomains at a high rate (e.g., a1b2c3.example.com, z9y8x7.example.com). Which technique is MOST likely being used?

A company wants to ensure that each microservice in its environment can communicate only with specific required services, even if they share the same Kubernetes cluster. Which approach BEST meets this requirement?

An organization is implementing a formal change management process. Which item is MOST important to include to reduce the likelihood of outages caused by security patches?

During an incident, an analyst needs to preserve a copy of a suspect workstation's drive in a way that supports potential legal action. Which action is MOST appropriate?

A company is designing an access model where administrators can perform privileged tasks only through a controlled workflow, with time-limited elevation and session recording. Which solution BEST meets these requirements?

A security team discovers that an attacker accessed a web application by exploiting a server-side request forgery (SSRF) flaw to retrieve instance metadata and obtain temporary cloud credentials. Which mitigation is MOST effective to prevent this specific attack path?

A small business wants employees to access a cloud CRM from personal phones. The company wants to prevent data from being copied into personal apps while still allowing access to the CRM. Which solution BEST meets this requirement?

A help desk technician receives an alert that a workstation is repeatedly attempting to authenticate to many different internal servers within seconds, using a single username and many passwords. Which type of attack is MOST likely occurring?

A security analyst must ensure all systems are using consistent time to support reliable log correlation during investigations. Which of the following is the BEST solution?

A company wants to protect its public web application from common attacks (e.g., SQL injection, XSS) without changing application code. Which control is MOST appropriate?

A security team is implementing a zero trust approach. Which change BEST aligns with zero trust principles for internal network access?

An organization wants to reduce the risk of compromised credentials being used to access SaaS applications. The organization wants logins to be valid only from managed devices that meet security baselines. Which capability BEST meets this need?

A third-party vendor must connect to a single internal database server for maintenance. The security team wants to reduce lateral movement risk and strictly limit what the vendor can reach. Which design is BEST?

A security administrator wants to verify that critical application logs have not been altered after collection and that tampering would be detectable. Which approach BEST provides this assurance?

A company processes credit card data and must ensure encryption keys are protected from extraction even if an application server is compromised. Which solution BEST addresses this requirement?

A security officer is developing a risk treatment plan for a legacy system that cannot be patched for a known vulnerability. The system is mission-critical, and downtime for replacement is not possible this quarter. Which action BEST represents risk transference?

A company is hiring a third-party firm to handle payroll processing. Which document should the company use to define security requirements such as encryption, access controls, and breach notification timelines?

A security analyst wants to reduce the risk of credential theft from phishing by requiring a second factor that is resistant to replay and man-in-the-middle attacks. Which option best meets this requirement?

A SOC is triaging an alert that indicates multiple failed logins followed by a successful login to an executive's email account from an unfamiliar location. Which activity best describes the SOC's next step to validate the alert quickly?

An organization wants to ensure employees can access an internal web application only when connected through a secure tunnel from unmanaged networks. Which solution best enforces this requirement?

A healthcare organization is deploying a new application that stores sensitive patient records. The security team requires that encryption keys be protected from extraction and that cryptographic operations be performed in dedicated hardware. Which solution best meets this requirement?

A company is experiencing increased attacks against its public-facing web application. The security team wants to detect and block common web exploits (e.g., SQL injection, cross-site scripting) while allowing legitimate traffic. Which control should be implemented?

A security engineer notices that a VLAN used for VoIP phones can reach the internal database subnet, which violates policy. What is the best technical control to enforce segmentation between these networks?

A company wants to adopt a structured approach to reduce cyber risk by identifying, analyzing, and prioritizing risks, then tracking treatment decisions over time. Which artifact best supports this goal?

During an investigation, analysts discover a compromised server is beaconing to a command-and-control domain. The domain changes frequently, but the TLS certificate presented by the C2 infrastructure remains consistent. Which detection approach is most effective for identifying related traffic across the environment?

A multinational organization must ensure that only authorized administrators can decrypt highly sensitive backups stored in cloud object storage, and that no single administrator can decrypt data without another party’s approval. Which solution best meets this requirement?

A security analyst must ensure encrypted management traffic to a network switch cannot be downgraded to an older, weaker protocol during negotiation. Which control BEST addresses this risk?

A company wants to reduce the amount of sensitive data stored on employee laptops while still allowing staff to work while traveling. Which approach BEST supports this requirement?

A technician is updating a written procedure so new employees can accurately follow the steps to revoke user access when someone leaves the company. Which document type is being updated?

A company wants a security control that detects and blocks malicious commands being injected into web application requests (e.g., SQL injection) before the requests reach the application servers. Which solution is MOST appropriate?

After enabling centralized log collection, an analyst notices that event timestamps from different servers do not align, making correlation difficult. Which action should the analyst take FIRST?

A cloud administrator wants to ensure that if an attacker gains access to a cloud access key, the key alone cannot be used to authenticate. Which control BEST mitigates this risk?

A company is deploying a new internal application. Security requirements state that no single administrator should be able to both deploy code changes and approve them in production. Which principle is being applied?

A security engineer is reviewing an alert that a host is rapidly attempting connections to many sequential ports on a single internal server. Which activity is MOST likely occurring?

A company is designing a highly available storage system. The security team requires that if one disk contains sensitive data and is removed, the data remains unreadable without access to the rest of the array. Which RAID characteristic BEST meets this requirement?

An organization must allow a third-party vendor to access a single internal web application, but the vendor should never have direct network access to internal subnets. The solution must provide strong authentication, granular authorization, and session logging. Which approach BEST meets these requirements?