Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 3.1 (Compare and contrast security implications of different architecture models.) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, nor are they brain dumps, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam. To view answers and explanations for today’s questions, expand the Answers accordion.
Results
#1. A security administrator at a healthcare organization is tasked with deploying new patient management applications. The CIO wants to avoid managing physical servers and instead focus on application code, while the cloud provider handles the operating system and runtime. Which architecture model best meets this requirement?
#2. Your organization is considering moving part of its infrastructure to the cloud but must retain control over sensitive legal records on-premises. The architecture must balance scalability with regulatory compliance. Which model provides the best approach?
#3. A financial institution wants to use Infrastructure as Code (IaC) for its deployments. The security manager warns that poorly written templates could expose sensitive customer databases. Which key implication of IaC should the manager highlight?
#4. A defense contractor uses an air-gapped network for classified data. During an audit, the security team highlights concerns about availability in case of a hardware failure. Which trade-off does this architecture represent?
#5. An administrator deploys microservices to support a new HR application. During penetration testing, the testers find that lateral movement between services could expose multiple sensitive components. What security control should be emphasized?
#6. Your company is moving to a centralized architecture model to simplify monitoring. The SOC manager warns that this could introduce a single point of failure. Which architecture approach would better balance resilience?
#7. A start-up chooses containerization for its new SaaS platform. The security engineer notes that if the host OS is compromised, all containers are at risk. Which implication should leadership consider?
#8. An energy company is deploying embedded systems for monitoring pipelines. The devices are expected to last 20 years in the field with minimal maintenance. Which security challenge is most significant?
#9. A multinational company wants to reduce downtime during outages. The architect suggests clustering instead of load balancing for critical database servers. Why?
#10. A research firm wants to use virtualization for multiple projects. A security analyst notes that resource reuse could expose sensitive information from one virtual machine to another. Which risk is this analyst describing?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To choose CompTIA Security+ practice tests based on specific domains/subdomains, click that link.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | C | A security administrator at a healthcare organization is tasked with deploying new patient management applications. The CIO wants to avoid managing physical servers and instead focus on application code, while the cloud provider handles the operating system and runtime. Which architecture model best meets this requirement? A. Infrastructure as a Service (IaaS) (Incorrect): With IaaS, the customer would still be responsible for managing the operating system and runtime. B. Software as a Service (SaaS) (Incorrect): With SaaS, the provider manages the entire application; the customer would only manage their data, not the application code. C. Platform as a Service (PaaS) (Correct): PaaS is the cloud model where the provider manages the operating system, runtime environment, and underlying infrastructure, allowing the customer (the healthcare organization) to focus solely on deploying and managing their application code and data. This perfectly matches the requirement. D. Serverless (Incorrect): While Serverless is similar to PaaS, PaaS is the general architecture model for a dedicated runtime environment, which fits the deployment of a complete application, and is the most common answer choice for this division of labor. |
| 2 | B | Your organization is considering moving part of its infrastructure to the cloud but must retain control over sensitive legal records on-premises. The architecture must balance scalability with regulatory compliance. Which model provides the best approach? A. Public cloud (Incorrect): This model places all resources and control outside the organization on a shared platform, which violates the requirement to retain control over sensitive on-premises data. B. Hybrid cloud (Correct): The Hybrid cloud model combines a company’s private, on-premises infrastructure (where sensitive legal records can be securely maintained for regulatory compliance) with public cloud services (to achieve scalability). The two environments are integrated, allowing the organization to place workloads where they best meet both security and performance needs. C. Multi-cloud (Incorrect): This refers to using multiple public cloud providers, which addresses vendor lock-in but does not inherently address the need to integrate on-premises infrastructure for compliance reasons. D. Community cloud (Incorrect): This is a cloud infrastructure shared by organizations with common concerns (e.g., security, compliance). It does not specifically describe the architecture needed to bridge an on-premises network with external cloud resources. |
| 3 | D | A financial institution wants to use Infrastructure as Code (IaC) for its deployments. The security manager warns that poorly written templates could expose sensitive customer databases. Which key implication of IaC should the manager highlight? A. Ease of deployment (Incorrect): This is a benefit of IaC, not a security risk implication. B. Risk transference (Incorrect): Risk transference involves moving risk to a third party (like a cloud provider). This scenario describes an internal risk created by poor code quality. C. Scalability (Incorrect): This is a benefit of IaC, allowing the environment to grow quickly. It is an operational advantage, not a security risk implication. D. Misconfiguration risks (Correct): The key implication is misconfiguration risks. Infrastructure as Code (IaC) allows for the rapid, automated deployment of infrastructure. A poorly written template containing a security flaw (like an exposed customer database port) can instantly and repeatedly apply that misconfiguration across the entire environment, amplifying the risk. |
| 4 | C | A defense contractor uses an air-gapped network for classified data. During an audit, the security team highlights concerns about availability in case of a hardware failure. Which trade-off does this architecture represent? A. High availability vs. cost (Incorrect): While relevant, this is too general. The core issue stems from the security architecture (isolation). B. Security vs. ease of deployment (Incorrect): The security is achieved, but the trade-off is related to availability (resilience), not ease of deployment. C. Physical isolation vs. resilience (Correct): The trade-off is physical isolation vs. resilience. An air-gapped network achieves maximum security through physical isolation (the lack of external connection). However, this isolation often prevents the use of automated, off-site replication and real-time redundancy, making the system less resilient against internal failures and threatening its availability. D. Scalability vs. risk transference (Incorrect): These concepts are unrelated to the fundamental security/availability conflict in an air-gapped network. |
| 5 | A | An administrator deploys microservices to support a new HR application. During penetration testing, the testers find that lateral movement between services could expose multiple sensitive components. What security control should be emphasized? A. Network segmentation (Correct): The control that should be emphasized is network segmentation, specifically micro-segmentation in a microservices environment. This technique involves isolating each service (or small groups of services) into its own network zone and using firewall rules or a service mesh to strictly define and limit the traffic flow between them. This prevents an attacker who compromises one service from moving laterally to other sensitive components. B. Tokenization (Incorrect): Tokenization is a data security technique that protects sensitive data by replacing it with a non-sensitive equivalent. It does not address network control or lateral movement. C. Load balancing (Incorrect): Load balancing distributes traffic across servers to optimize performance and availability. It is not a security control for preventing internal, lateral movement. D. Risk transference (Incorrect): Risk transference is a business strategy, such as purchasing insurance, to shift financial risk to another party. It is not a technical security control. |
| 6 | B | Your company is moving to a centralized architecture model to simplify monitoring. The SOC manager warns that this could introduce a single point of failure. Which architecture approach would better balance resilience? A. Centralized processing (Incorrect): This is the architecture model the company is moving towards. While it simplifies monitoring, it is the one that introduces the single point of failure the manager is concerned about. B. Decentralized architecture (Correct): A decentralized architecture distributes processing and data across multiple independent nodes or systems. This approach eliminates the single point of failure inherent in a centralized model, thereby significantly improving resilience and availability. C. Containerization (Incorrect): Containerization (using technologies like Docker or Kubernetes) is a deployment technology. While it can be used to build a decentralized architecture, it is not the architectural approach itself. D. Virtualization (Incorrect): Virtualization is a technology that abstracts hardware. Like containerization, it enables different architectures but is not the architectural model that specifically addresses the balance between centralization and resilience. |
| 7 | C | A start-up chooses containerization for its new SaaS platform. The security engineer notes that if the host OS is compromised, all containers are at risk. Which implication should leadership consider? A. Patch availability (Incorrect): While the host OS must be patched, “shared kernel vulnerabilities” is the more direct explanation for the catastrophic risk described. B. Ease of deployment (Incorrect): This is a key benefit of containerization, not a security risk implication. C. Shared kernel vulnerabilities (Correct): The implication that leadership should consider is shared kernel vulnerabilities. Containers on the same host operate with their own file systems and processes but fundamentally rely on the single kernel of the host operating system. A security flaw or compromise in that shared kernel breaks the isolation boundary, allowing an attacker to escape one container and potentially gain control over the host and all other containers running on it. D. Cost reduction (Incorrect): This is an economic benefit of containerization, not a security implication. |
| 8 | A | An energy company is deploying embedded systems for monitoring pipelines. The devices are expected to last 20 years in the field with minimal maintenance. Which security challenge is most significant? A. Patch availability (Correct): The most significant security challenge is patch availability. Embedded systems with a 20-year lifespan are highly susceptible to security flaws discovered years after deployment. The original hardware and software vendors are likely to end support long before the device’s life cycle is over, leading to a complete inability to deploy necessary security patches and leaving the system permanently vulnerable. B. Resilience (Incorrect): Resilience is the ability to maintain availability despite failures. While a challenge, the root cause of the long-term risk is the inability to address vulnerabilities through patching. C. Scalability (Incorrect): This is a non-security, operational challenge related to growth, not the long-term security of the device itself. D. Ease of recovery (Incorrect): This is related to resilience. The bigger problem is preventing the initial compromise over two decades, which is directly tied to patching. |
| 9 | A | A multinational company wants to reduce downtime during outages. The architect suggests clustering instead of load balancing for critical database servers. Why? A. Clustering improves redundancy and failover (Correct): Clustering is the superior choice for critical database servers because it provides redundancy (multiple servers maintain a copy of the data) and enables automatic failover. When the primary database server fails, the standby server (node) instantly takes over the workload, virtually eliminating downtime. B. Clustering increases responsiveness for end-users (Incorrect): Load balancing is the technique primarily used to increase responsiveness by spreading traffic across multiple servers. C. Load balancing provides stronger encryption (Incorrect): Encryption strength is a cryptographic function unrelated to network traffic distribution or clustering. D. Load balancing reduces patch requirements (Incorrect): Neither clustering nor load balancing reduces the need for system patching. |
| 10 | A | A research firm wants to use virtualization for multiple projects. A security analyst notes that resource reuse could expose sensitive information from one virtual machine to another. Which risk is this analyst describing? A. VM escape (Correct): The analyst is describing a risk that could lead to a VM escape. VM escape is a critical vulnerability where an attacker breaks out of the isolated guest operating system and gains access to the hypervisor or the host operating system. The specific risk of resource reuse (where the hypervisor reassigns memory or disk blocks without properly scrubbing residual data) is a known way that one virtual machine could leak sensitive information to another co-located virtual machine, which is a failure of the isolation boundary that VM escape represents. B. Race condition (Incorrect): A race condition is a timing flaw in an application’s execution sequence. It does not specifically describe data leakage due to resource reuse in virtualization. C. Shared kernel risk (Incorrect): This is the primary risk associated with containerization, where multiple containers share the host operating system kernel. Virtual machines use separate kernels. D. Logical segmentation (Incorrect): Logical segmentation is a mitigation technique (separating systems virtually), not a risk. |