CertHead

General Security Concepts — Security+ practice questions

Domain 1 of the CompTIA Security+ (SY0-701) exam. 117 questions on this domain in the full bank — here are four free samples with answers and explanations.

Question 1 · Difficulty 2/5

Which leg of the CIA triad is directly violated when an attacker intercepts unencrypted email messages traveling between two employees? (Select the best answer.)
  1. Integrity
  2. Availability
  3. Confidentiality
  4. Non-repudiation
Show answer & explanation

Correct answer: C

Confidentiality
Confidentiality ensures that information is accessible only to authorized parties. Intercepting unencrypted messages allows an unauthorized party to read private data, which is the canonical threat to confidentiality. Integrity concerns unauthorized modification of data, which does not occur through passive interception alone. Availability concerns ensuring systems and data are accessible to authorized users, which is unaffected here. Non-repudiation is a security property related to the CIA triad but is not itself one of its three legs.

Question 2 · Difficulty 3/5

A hospital's electronic health record system becomes unreachable for six hours after an attacker floods its network interface with junk traffic. During the outage, clinicians cannot retrieve patient records. Which CIA triad leg is most directly threatened by this attack? (Select the best answer.)
  1. Confidentiality, because patient data may be exposed during the disruption
  2. Integrity, because flood traffic can corrupt records in transit
  3. Availability, because authorized users cannot access the system when needed
  4. Non-repudiation, because the attacker's identity cannot be confirmed
Show answer & explanation

Correct answer: C

Availability, because authorized users cannot access the system when needed
Availability is the property that ensures systems and data are accessible to authorized users when needed. A network flood (denial-of-service) attack that prevents clinicians from retrieving records is the textbook availability threat. Confidentiality is threatened by unauthorized disclosure of data, not by disruption of access. Integrity would be threatened if records were altered or corrupted, which is not described. Non-repudiation is not a CIA triad leg; it addresses the ability to prove an action occurred.

Question 3 · Difficulty 3/5

A developer with access to a financial reporting database silently changes quarterly revenue figures before they are published, without any authorization. No data is disclosed outside the organization and no system goes offline. Which CIA triad leg is violated? (Select the best answer.)
  1. Confidentiality, because an insider accessed sensitive financial data
  2. Integrity, because authorized data was modified without authorization
  3. Availability, because the accuracy of the data is now unreliable for users
  4. Authentication, because the developer bypassed identity verification
Show answer & explanation

Correct answer: B

Integrity, because authorized data was modified without authorization
Integrity ensures that data is accurate, complete, and has not been altered in an unauthorized manner. Unauthorized modification of revenue figures is the canonical integrity threat. Confidentiality is concerned with unauthorized disclosure; no disclosure is described here. Availability addresses whether systems and data are accessible; the system remains online and accessible. Authentication is a control mechanism, not a CIA triad leg.

Question 4 · Difficulty 2/5

Which of the following is the best example of a technical control? (Select the best answer.)
  1. A security awareness training program delivered to all employees
  2. An acceptable use policy distributed during onboarding
  3. Encryption applied to data stored on portable drives
  4. A perimeter fence surrounding a data center campus
Show answer & explanation

Correct answer: C

Encryption applied to data stored on portable drives
Encryption is enforced by technology (hardware or software) and is the canonical example of a technical control. Security awareness training is an operational control because it relies on people performing activities. An acceptable use policy is a managerial control because it is an administrative document governing behavior. A perimeter fence is a physical control because it is a tangible barrier.

More Security+ domains

Ready to test yourself for real?

The free quiz pulls live questions from the same banks — no account required.

Start the free quiz