Back to CompTIA Tech+ (Tech+)

Security

Master security concepts, device security, password practices, and encryption fundamentals (19% of exam).

Covers fundamental security concepts including confidentiality, integrity, availability (CIA triad), authentication, and authorization. Explores device security topics such as anti-malware, firewalls, patching, physical security, and safe browsing practices. Includes password best practices covering length, complexity, privacy, avoiding password reuse, and using password managers. Also covers encryption concepts including data at rest, data in transit, HTTPS, VPNs, and mobile device encryption.
5 minutes 5 Questions

Security in the context of CompTIA Tech+ encompasses the fundamental principles and practices essential for protecting computer systems, networks, and data from unauthorized access, threats, and vulnerabilities. This domain covers several critical areas that IT professionals must understand to main…

Concepts covered: Confidentiality principle, Integrity principle, Availability principle, CIA triad overview, Authentication methods, Authorization and access control, Multi-factor authentication (MFA), Single sign-on (SSO), Anti-malware software, Antivirus protection, Personal firewalls, Operating system patching, Software updates and patches, Physical security measures, Safe browsing practices, Mobile device security, Malware types and prevention, Password length requirements, Password complexity rules, Password privacy and protection, Avoiding password reuse, Password managers, Passphrase strategies, Account lockout policies, Encryption fundamentals, Data at rest encryption, Data in transit encryption, HTTPS protocol, VPN (Virtual Private Network), Mobile device encryption, Full disk encryption, SSL/TLS certificates, Phishing attacks, Social engineering, Ransomware threats, Insider threats, Zero-day vulnerabilities

Test mode:
Start practice test
Tech+ - Security Example Questions

Test your knowledge of Security

Question 1

Gregory, a database administrator at a financial services company, is troubleshooting connectivity issues and decides to test accessing an internal admin portal from his personal smartphone using the office guest WiFi network. The guest network requires accepting terms of service but has no authentication. Gregory's smartphone browser shows the admin portal URL correctly with HTTPS and a valid certificate, and he can see the login page loading normally. The portal contains sensitive customer financial records and system configuration options. Gregory knows his credentials work and could quickly verify if the portal is accessible, which would help isolate whether the connectivity problem is network-related or workstation-specific. Other IT staff have already left for the day and the issue is affecting overnight batch processing. How should Gregory approach this troubleshooting scenario while adhering to safe browsing protocols?

Correct Answer: Avoid accessing the sensitive admin portal through the guest network and instead use a company-approved VPN connection or wait to troubleshoot from a secured company workstation on the internal network

The correct approach is to avoid accessing the sensitive admin portal through the guest network and instead use a company-approved VPN connection or wait to troubleshoot from a secured company workstation on the internal network.

This is the proper response because:

  1. Network Segmentation Principles: Guest networks are intentionally separated from internal corporate resources for security reasons. Accessing sensitive admin portals containing customer financial records from an unauthenticated guest network violates basic network security principles.

  2. Personal Device Risk: Using a personal smartphone (which may not have the same security controls as company devices) to access sensitive financial systems introduces unnecessary risk, regardless of HTTPS encryption.

  3. Compliance Concerns: Financial services companies are subject to strict regulatory requirements. Accessing customer financial data from unsecured networks and personal devices could violate compliance obligations.

  4. Safe Browsing Protocols: Proper security practices dictate that sensitive administrative access should only occur through approved channels and secured networks.

The second option is incorrect because HTTPS encryption alone does not make accessing sensitive systems from untrusted networks acceptable. The guest network itself could be compromised, monitored, or subject to various attacks. Security is about layers, not just encryption.

The third option is flawed because there is no distinction between 'read-only verification' and full access from a security standpoint. Once credentials are entered on an unsecured network, they could potentially be intercepted through various attack methods. Additionally, the portal contains sensitive data that should not be viewed on unsecured networks.

The fourth option incorrectly assumes that private browsing mode provides network-level security. Private browsing only prevents local browser history and cookie storage - it provides zero protection against network-based monitoring, man-in-the-middle attacks, or other threats present on untrusted networks.

Question 2

During a security audit at a software development company, the auditor discovers that the organization's password manager implements biometric authentication as a secondary unlock method alongside the master password. A senior developer questions whether this biometric data could be extracted from the password manager's database if compromised. The auditor needs to clarify how modern password managers typically handle biometric authentication data storage. What should the auditor explain about where biometric templates are typically stored in well-designed implementations?

Correct Answer: Biometric templates remain on the device's secure enclave or TPM, while the password manager only receives an authentication confirmation signal from the operating system

The correct answer explains that biometric templates remain on the device's secure enclave or TPM (Trusted Platform Module), while the password manager only receives an authentication confirmation signal from the operating system.

This is how modern, well-designed implementations handle biometric authentication:

  1. Secure Hardware Storage: Biometric data (fingerprints, facial recognition templates) is stored in dedicated secure hardware components like Apple's Secure Enclave, Android's Trusted Execution Environment, or Windows TPM chips.

  2. Isolation Principle: The biometric template never leaves this secure hardware. Applications like password managers cannot access the raw biometric data.

  3. Authentication Flow: When you use biometric unlock, the operating system's security framework handles the comparison locally in the secure enclave and simply returns a yes/no authentication result to the requesting application.

This design ensures that even if the password manager's database is compromised, the attacker cannot extract biometric templates because they were never stored there in the first place.

The other options are incorrect because:

  • Storing biometric templates encrypted within the password manager's vault would be a security risk and is not how proper implementations work. Password managers are not designed to store or process biometric data.

  • Hashing biometric templates and storing them in the vault database contradicts the fundamental security architecture of modern devices. Biometric data should never be accessible to third-party applications.

  • Converting biometric templates to cryptographic keys that replace the master password misrepresents how biometric authentication works. Biometrics serve as a convenient secondary unlock method but typically work alongside (not replace) the master password, which remains the primary encryption key for the vault.

Question 3

Marcus, a junior network administrator, notices that a developer's workstation is generating unusual outbound traffic patterns during off-hours. Upon investigation, he discovers that a recently installed third-party development tool is attempting to communicate with multiple external IP addresses. The developer insists the tool is legitimate and necessary for their work. The organization's security policy requires all applications to be validated before network access is granted. What is the most appropriate configuration approach Marcus should implement using the personal firewall on the developer's workstation?

Correct Answer: Create application-specific outbound rules that permit the tool to connect only to verified destination addresses and ports while logging all connection attempts for ongoing monitoring

The correct answer involves creating application-specific outbound rules that permit the tool to connect only to verified destination addresses and ports while logging all connection attempts for ongoing monitoring.

This approach is the most appropriate because it follows the principle of least privilege - allowing only the necessary connections to specific, validated destinations rather than open access. By restricting outbound traffic to verified IP addresses and ports, Marcus ensures that the development tool can function as needed while preventing potential data exfiltration or communication with malicious servers. The logging component is crucial because it provides visibility into the tool's network behavior, allowing for ongoing security monitoring and compliance verification with the organization's security policy.

The second option is incorrect because allowing the tool to connect to any external addresses defeats the purpose of security controls. Prioritizing development traffic over security protocols is a dangerous practice that could expose the organization to significant risks.

The third option is flawed because allowing all traffic from signed applications is too permissive - malicious software can also be signed. Additionally, focusing on inbound rules doesn't address the original problem, which involves unusual outbound traffic patterns.

The fourth option is problematic because categorizing the tool as trusted software and permitting bidirectional communication on standard web ports provides excessive access. This zone-based approach with broad port access doesn't adequately address the security concern of unknown external communications and doesn't align with the organization's policy requiring application validation before network access.

More Security questions
143 questions (total)
Start 100 question test