Text preview & study summary

CompTIA Security+ SY0-701 - Domains 3 4 5 Architecture Operations Program Management

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

An organization's risk assessment identifies a potential data breach with an annual probability of 10% and a single occurrence loss of $500,000. What is the ALE (Annual Loss Expectancy)?

Answer choices

  • A. $500,000

  • B. $50,000 (Correct)

  • C. $5,000,000

  • D. $100,000

Explanation

ALE = SLE × ARO (Annual Rate of Occurrence). SLE = $500,000 (Single Loss Expectancy). ARO = 10% = 0.10. ALE = $500,000 × 0.10 = $50,000. Organizations use ALE to justify security investment — if a control costs less than the ALE it mitigates, it's cost-effective.

Question 2

A security engineer is configuring email security. They want to prevent email spoofing by verifying that emails come from authorized mail servers for a domain. Which protocol/mechanism accomplishes this?

Answer choices

  • A. DKIM (DomainKeys Identified Mail)

  • B. SPF (Sender Policy Framework)

  • C. DMARC

  • D. Both SPF and DKIM, enforced via DMARC (Correct)

Explanation

SPF verifies the sending mail server is authorized for the domain. DKIM adds a cryptographic signature to verify the email wasn't modified in transit. DMARC ties them together, defining policy (none/quarantine/reject) and providing reporting. Full email authentication requires all three working together.

Question 3

A security operations center (SOC) analyst receives an alert for a known malware signature detected on a workstation. The workstation is confirmed to be running a licensed PDF reader with no recent changes. Investigation reveals the "malware" signature matches a legitimate PDF library function. What type of alert is this?

Answer choices

  • A. True positive

  • B. True negative

  • C. False positive (Correct)

  • D. False negative

Explanation

A false positive (FP) is an alert generated for activity that is actually benign. The AV/IDS flagged a legitimate application as malicious. FPs waste analyst time and erode trust in security tools. The signature should be tuned to exclude this legitimate software.

Question 4

A company's security policy requires that privileged administrative access to servers be performed through a dedicated workstation in a secured room, never directly. What is this dedicated workstation called?

Answer choices

  • A. Jump server (bastion host / privileged access workstation) (Correct)

  • B. Honeypot

  • C. DMZ server

  • D. Proxy server

Explanation

A jump server (bastion host) or PAW (Privileged Access Workstation) is a hardened, monitored system that serves as a secure intermediary for administrative access to servers. All admin sessions are routed through it, providing centralized logging, session recording, and access control.

Question 5

A security analyst is reviewing an endpoint detection and response (EDR) alert. A process called "explorer.exe" is making outbound connections to a suspicious IP on port 4444. What is the MOST likely interpretation?

Answer choices

  • A. Normal Windows behavior

  • B. The legitimate explorer.exe has been hollowed out or injected with malicious code (process injection) communicating with a C2 server (Correct)

  • C. Windows Update is in progress

  • D. OneDrive is syncing files

Explanation

explorer.exe should not make outbound network connections. Port 4444 is commonly used by Metasploit Meterpreter. This pattern indicates process injection or hollow process attack — malware injected into explorer.exe to appear legitimate while establishing C2 communications.