Welcome to today’s practice test!
Today’s practice test is based on subdomain 1.1 (Compare and contrast various types of security controls) and 1.2 (Summarize fundamental security concepts) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a multinational company is designing layered security controls for data centers and cloud assets. He uses motion detectors, biometric access controls, and IDS/IPS systems. Which type of control classification best describes these measures?
#2. An organization installs fencing, bollards, and lighting around its perimeter. What type of security control category do these measures fall under?
#3. An attacker is attempting to breach an enterprise environment. The honeynet deployed by the security team captures his behavior. What type of control is a honeynet?
#4. Which of the following controls is primarily focused on ensuring compliance with policies and directives?
#5. An administrator is required to authenticate both users and endpoint devices before allowing access to sensitive resources. Which fundamental concept does this demonstrate?
#6. An analyst in a SOC observes logs showing access attempts outside normal business hours. What type of AAA principle does this reflect?
#7. Which security concept ensures actions cannot later be denied by a user?
#8. A Zero Trust architecture uses a central point that decides whether to allow or deny access based on dynamic conditions. Which component performs this function?
#9. Which of the following best describes a compensating control?
#10. Which of the following is an example of a managerial control?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | C | Technical controls are security measures that are implemented within information systems and their related components (hardware, software, firmware). Motion detectors, biometric access controls, and IDS/IPS systems are all examples of technology-based solutions directly protecting assets. Managerial controls involve organizational policies, procedures, and guidelines (e.g., security policies, risk assessments, awareness training). Operational controls involve the day-to-day security activities performed by people (e.g., incident response, patch management, security awareness). While related to operations, the measures listed are specifically technical implementations. Compensating controls are alternative security measures that are put in place to address a security requirement that cannot be met by primary controls. This is a classification of purpose, not the inherent type of control described. |
| 2 | D | Physical security controls are tangible measures used to protect assets, facilities, and personnel from unauthorized access, damage, or theft. Fencing, bollards, and lighting are all physical structures and installations designed to secure a perimeter. While some of these controls act as preventive measures (stopping an attack from occurring), “physical” describes the type or category of the control itself. While some of these controls act as deterrents (discouraging attacks), similar to “preventive,” “physical” is the overarching category that describes their nature. Detective controls identify incidents after they have occurred (e.g., alarms, cameras). Fencing and bollards are primarily about stopping or discouraging, not detecting. |
| 3 | C | A honeynet is a network of honeypots used to observe and learn about attacker tactics, techniques, and procedures (TTPs). Its primary purpose is to detect and record malicious activities, not to prevent them from happening or to compensate for other controls. Preventive controls aim to stop an attack before it happens (e.g., firewalls, access controls). A honeynet allows an attack to proceed to observe it. Compensating controls are alternative measures used when a primary control cannot be met. A honeynet is a specific security tool for threat intelligence and detection, not typically a compensatory measure. Directive controls are policies, procedures, and guidelines that dictate behavior (e.g., “all employees must use strong passwords”). A honeynet is a technical system, not a policy. |
| 4 | B | Directive controls are primarily focused on ensuring compliance by guiding or regulating behavior. These are typically policies, procedures, standards, and guidelines that dictate what users or systems should do to comply with security requirements. Corrective controls aim to reduce the impact of an incident after it has occurred (e.g., incident response, patching). They focus on recovery and remediation, not setting compliance rules. Compensating controls are alternative security measures used when a primary control cannot be implemented. Their focus is on filling a gap, not on directly ensuring compliance with all policies. Managerial controls involve the oversight and governance of security (e.g., risk assessments, security awareness training). While they set the stage for compliance, “Directive” specifically refers to the policies and rules that directly ensure compliance. |
| 5 | C | The core principle of Zero Trust is “never trust, always verify.” It dictates that no user or device, whether inside or outside the network, should be trusted by default. Instead, every access attempt to resources must be authenticated and authorized, demonstrating continuous verification for both the user and the endpoint. Non-repudiation ensures that a party cannot deny having performed an action (e.g., through digital signatures). It’s about accountability after an action, not initial access verification. Authorization is about determining what an authenticated user or device is allowed to do. While authentication of both is a prerequisite, the concept described (authenticating both users and devices before allowing access) is the broader “never trust” philosophy of Zero Trust. Authorization is a component within Zero Trust. Accounting (or auditing) involves tracking user activities and resource consumption for accountability and forensics. It occurs after access is granted and actions are performed, not before to grant access. |
| 6 | D | Accounting (also known as auditing or accountability) in AAA refers to tracking and recording user activities and resource usage. When a SOC analyst observes logs showing access attempts, especially with details like time patterns, they are leveraging the data collected through the accounting principle to detect anomalies or suspicious behavior. Authentication is the process of verifying a user’s identity (e.g., username and password). The logs record the result of authentication attempts, but the act of observing those records falls under accounting. Authorization is the process of determining what an authenticated user is permitted to do. The logs might show if access was authorized, but the act of recording and observing these events is accounting. Availability ensures that systems and data are accessible to authorized users when needed. This principle is not directly related to observing login attempt patterns in logs. |
| 7 | D | Non-repudiation is a security service that provides irrefutable proof that an action (e.g., sending a message, signing a document, performing a transaction) has occurred and cannot later be denied by the sender or originator. It typically involves mechanisms like digital signatures and audit trails. Authentication confirms the identity of a user. While it’s a prerequisite for non-repudiation, it doesn’t alone prevent denial of an action. Authorization determines what an authenticated user is permitted to do. It’s about access rights, not preventing denial of past actions. Confidentiality ensures that information is accessible only to those authorized to have access. It’s about secrecy, not preventing denial of actions. |
| 8 | B | In a Zero Trust architecture, the Policy Engine is the core component responsible for making the access decision (allow or deny) by evaluating all relevant information (user identity, device posture, context, threat intelligence) against established policies. It’s the “brain” that dynamically determines trust for each access request. The Policy Administrator is responsible for managing and configuring the policies, but it’s not the component that makes the real-time access decisions. The Policy Enforcement Point is responsible for enforcing the decision made by the Policy Engine (i.e., granting or denying access). It doesn’t make the decision itself. The control plane is a broader architectural concept in networking and security that encompasses the components responsible for decision-making and policy management. While the Policy Engine is part of the control plane, “Policy Engine” is the most specific and accurate component that performs the stated function. |
| 9 | B | A compensating control (or alternative control) is a security measure implemented to satisfy a security requirement that cannot be met by the primary or intended control. It acts as a substitute, providing an equivalent level of security. They can be temporary or permanent depending on the situation where the primary control is not feasible. ‘A control used to detect an attack’ describes a detective control. ‘A security directive issued by compliance teams’ describes a directive control. ‘A control that enforces policies’ describes an enforcement control or a technical/preventive control that puts policies into action. |
| 10 | C | Managerial controls (also known as administrative controls) are focused on the organization’s policies, procedures, and governance related to security. An employee security awareness policy is a clear example of a directive from management to guide employee behavior regarding security. Multifactor authentication is a technical control used to verify user identity. Encryption of sensitive data is a technical control used to protect data confidentiality. Intrusion detection system is a technical control used to monitor and detect malicious activity. |