Text preview & study summary
CompTIA Security+ SY0-701 - Domains 3 4 5 Architecture Operations Program Management
A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.
Want to test your knowledge? Launch the Interactive Exam Simulator
Question 1
An organization's risk assessment identifies a potential data breach with an annual probability of 10% and a single occurrence loss of $500,000. What is the ALE (Annual Loss Expectancy)?
Explanation
ALE = SLE × ARO (Annual Rate of Occurrence). SLE = $500,000 (Single Loss Expectancy). ARO = 10% = 0.10. ALE = $500,000 × 0.10 = $50,000. Organizations use ALE to justify security investment — if a control costs less than the ALE it mitigates, it's cost-effective.
Question 2
A security engineer is configuring email security. They want to prevent email spoofing by verifying that emails come from authorized mail servers for a domain. Which protocol/mechanism accomplishes this?
Explanation
SPF verifies the sending mail server is authorized for the domain. DKIM adds a cryptographic signature to verify the email wasn't modified in transit. DMARC ties them together, defining policy (none/quarantine/reject) and providing reporting. Full email authentication requires all three working together.
Question 3
A security operations center (SOC) analyst receives an alert for a known malware signature detected on a workstation. The workstation is confirmed to be running a licensed PDF reader with no recent changes. Investigation reveals the "malware" signature matches a legitimate PDF library function. What type of alert is this?
Explanation
A false positive (FP) is an alert generated for activity that is actually benign. The AV/IDS flagged a legitimate application as malicious. FPs waste analyst time and erode trust in security tools. The signature should be tuned to exclude this legitimate software.
Question 4
A company's security policy requires that privileged administrative access to servers be performed through a dedicated workstation in a secured room, never directly. What is this dedicated workstation called?
Explanation
A jump server (bastion host) or PAW (Privileged Access Workstation) is a hardened, monitored system that serves as a secure intermediary for administrative access to servers. All admin sessions are routed through it, providing centralized logging, session recording, and access control.
Question 5
A security analyst is reviewing an endpoint detection and response (EDR) alert. A process called "explorer.exe" is making outbound connections to a suspicious IP on port 4444. What is the MOST likely interpretation?
Explanation
explorer.exe should not make outbound network connections. Port 4444 is commonly used by Metasploit Meterpreter. This pattern indicates process injection or hollow process attack — malware injected into explorer.exe to appear legitimate while establishing C2 communications.
