Domain 1 – Full Cross-Topic Review: General Security Concepts
This review integrates:
- Security Controls (categories, types, and selection)
- CIA Triad (confidentiality, integrity, availability)
- AAA (authentication, authorization, accounting)
- Zero Trust Architecture
- Change Management and Configuration Control
- Cryptography (symmetric, asymmetric, hashing)
- Public Key Infrastructure (PKI)
Expect scenario-based questions that require applying multiple concepts together.
Question 1
A company adopts a zero trust architecture but continues to grant broad VPN access to all internal resources once users authenticate at the perimeter.
What is the PRIMARY security concern?
A. VPN encryption is insufficient for zero trust
B. AAA services cannot function over VPN connections
C. VPN conflicts with PKI certificate validation
D. Zero trust requires per-resource access decisions regardless of network location
Answer & reasoning
Correct: D
Zero trust eliminates implicit trust based on network location. Granting broad access after VPN authentication is an implicit trust model that contradicts zero trust principles, which require continuous verification for every resource request.
Question 2
During a change management review, a security analyst discovers that a developer deployed a new API endpoint directly to production without approval. The endpoint accepts user input and queries a backend database.
What should the organization address FIRST?
A. Implement input validation on the endpoint
B. Encrypt database connections using TLS
C. Enforce the change management process to prevent unauthorized deployments
D. Revoke the developer's production access permanently
Answer & reasoning
Correct: C
The root cause is a breakdown in change management controls. While the endpoint may need technical fixes, the governance failure that allowed unauthorized production deployment must be corrected first to prevent recurrence.
Question 3
An organization uses symmetric encryption (AES-256) to protect data at rest. A new requirement mandates that external partners must access encrypted files without sharing a common secret key.
What is the BEST approach?
A. Implement asymmetric encryption so partners decrypt with their private keys
B. Share the AES key over a secure channel with each partner
C. Replace AES with a stronger hashing algorithm
D. Use digital signatures to authenticate data access
Answer & reasoning
Correct: A
Asymmetric encryption solves the key distribution problem. Files can be encrypted with each partner's public key, allowing only the corresponding private key holder to decrypt. Hashing provides integrity, not confidentiality, and sharing symmetric keys with multiple external parties creates unacceptable key management risk.
Question 4
A hospital must ensure that patient records cannot be altered after being finalized by a physician. The system must also verify the identity of the physician who finalized each record.
Which combination BEST addresses both requirements?
A. AES encryption and role-based access control
B. Digital signatures and cryptographic hashing
C. Symmetric encryption and multi-factor authentication
D. VPN tunneling and access control lists
Answer & reasoning
Correct: B
Digital signatures provide non-repudiation (physician identity verification) while cryptographic hashing ensures integrity (tamper detection). This combination directly addresses both the integrity and authentication requirements of the scenario.
Question 5
An organization classifies a new detective control as "administrative." A junior analyst argues it should be classified as "technical" because it involves reviewing system logs.
What determines the correct classification?
A. Whether the control uses technology or relies on human processes and policies
B. Whether the control detects or prevents threats
C. The sensitivity level of the data being protected
D. The frequency at which the control is executed
Answer & reasoning
Correct: A
Control categories (administrative, technical, physical) are determined by implementation method. A manual log review policy is administrative even though it involves technology; an automated SIEM alert would be technical. The control type (detective, preventive, etc.) is a separate classification axis from the category.
Question 6
A company implements multi-factor authentication for all cloud applications. Several weeks later, an attacker gains access to a cloud resource using a compromised session token stolen from a user's browser.
What zero trust principle was NOT adequately implemented?
A. Least privilege access
B. Encryption of data at rest
C. Network micro-segmentation
D. Continuous validation and session monitoring
Answer & reasoning
Correct: D
Zero trust requires continuous validation, not just initial authentication. MFA at login is insufficient if session tokens are not monitored for anomalous use, time-limited, or bound to device context. Continuous validation would detect or prevent token replay attacks.
Question 7
A security team deploys a compensating control after determining that the preferred technical control cannot be implemented due to legacy system limitations.
Which scenario BEST illustrates a compensating control?
A. Installing a next-generation firewall to replace an older model
B. Requiring passwords to meet minimum complexity standards
C. Adding encryption to a database that already supports it
D. Implementing enhanced logging and manual review when automated patching is not supported
Answer & reasoning
Correct: D
A compensating control is an alternative measure that provides equivalent risk reduction when the primary control cannot be implemented. Enhanced logging with manual review compensates for the inability to automate patching on a legacy system.
Question 8
A financial services firm requires all internal certificate authorities to use SHA-256 for signing. An administrator discovers that one subordinate CA is still issuing certificates signed with SHA-1.
What CIA triad element is MOST at risk?
A. Availability, because SHA-1 certificates may be rejected by modern clients
B. Confidentiality, because SHA-1 allows decryption of encrypted traffic
C. Integrity, because SHA-1 collision vulnerabilities could allow certificate forgery
D. Non-repudiation, because SHA-1 does not support digital signatures
Answer & reasoning
Correct: C
SHA-1 has known collision vulnerabilities, meaning an attacker could potentially forge a certificate with the same hash. This directly undermines integrity. SHA-1 does support signatures (so D is incorrect), and hashing algorithms do not provide encryption (so B is incorrect).
Question 9
An organization implements a RADIUS server for centralized authentication. The IT manager wants to also track how long each user session lasts and what resources are accessed.
Which AAA component fulfills this requirement?
A. Authentication
B. Authorization
C. Accounting
D. Access control
Answer & reasoning
Correct: C
Accounting tracks session duration, resource usage, and user activity. Authentication verifies identity, and authorization determines permissions. Accounting provides the audit trail of what was actually done during the session.
Question 10
During a PKI audit, a security analyst finds that a certificate was issued to an internal server but the certificate's Subject Alternative Name (SAN) includes an external domain the organization does not own.
What is the MOST appropriate action?
A. Add the external domain to the organization's DNS records
B. Revoke the certificate and investigate the issuance process
C. Renew the certificate with a longer validity period
D. Configure the server to ignore SAN mismatches
Answer & reasoning
Correct: B
A certificate with an unauthorized SAN is a PKI integrity issue that could be exploited for man-in-the-middle attacks or domain spoofing. The certificate must be revoked immediately, and the CA issuance process must be investigated to determine how this occurred.
Question 11
An organization's change advisory board (CAB) approves a firewall rule change. After implementation, network monitoring shows unexpected traffic patterns that indicate the rule is overly permissive.
What process failure does this indicate?
A. The change management process lacked post-implementation validation
B. The CAB should not review firewall changes
C. Network monitoring is generating false positives
D. The firewall vendor's firmware is outdated
Answer & reasoning
Correct: A
Effective change management includes post-implementation review to verify changes produce the expected outcome. The CAB approved the change, but no validation step caught the overly permissive rule before it impacted production traffic.
Question 12
A cloud administrator configures a zero trust policy that requires device health checks before granting access. A contractor's personal laptop fails the health check but the contractor needs immediate access to complete a critical deliverable.
What is the MOST appropriate response?
A. Create a permanent exception for the contractor's device
B. Disable device health checks temporarily for all users
C. Provide access through a managed virtual desktop that meets policy requirements
D. Allow access and schedule a health check for the following week
Answer & reasoning
Correct: C
A managed virtual desktop satisfies zero trust requirements by ensuring the access environment meets security policy, without creating exceptions or weakening controls. This maintains the security posture while enabling business operations.
Question 13
A security architect is designing an authentication system that must support single sign-on across multiple applications. The system must also enforce different authorization levels per application based on user roles.
Which approach BEST satisfies both requirements?
A. Implement a federated identity provider with role-based access control per application
B. Deploy a shared password database accessible to all applications
C. Use the same encryption key across all applications for token generation
D. Configure each application with its own independent authentication system
Answer & reasoning
Correct: A
A federated identity provider enables SSO (one authentication for multiple applications) while RBAC per application ensures different authorization levels. Shared password databases are insecure, independent auth systems break SSO, and shared encryption keys violate cryptographic best practices.
Question 14
An organization encrypts all backups using AES-256. The encryption keys are stored on the same backup server.
What is the PRIMARY security weakness?
A. AES-256 is not strong enough for backup encryption
B. The backup server needs additional physical security controls
C. Backups should use asymmetric encryption instead of symmetric
D. Storing encryption keys with the encrypted data undermines confidentiality if the server is compromised
Answer & reasoning
Correct: D
If an attacker compromises the backup server, they obtain both the encrypted data and the keys to decrypt it. Key management best practices require storing keys separately from the data they protect. AES-256 is appropriate for backup encryption; the issue is key storage, not algorithm strength.
Question 15
A security policy requires that all configuration changes to production servers be documented, approved, and reversible. A system administrator applies an emergency patch to fix a critical vulnerability without following this process.
What should happen AFTER the emergency patch is applied?
A. No action needed since the vulnerability was critical
B. The administrator should be immediately terminated
C. A retroactive change management review should document the change and validate its impact
D. The patch should be rolled back until proper approval is obtained
Answer & reasoning
Correct: C
Emergency changes are sometimes necessary, but change management requires retroactive documentation and review. This maintains the audit trail, validates the change did not introduce new issues, and preserves process integrity without undoing a critical security fix.
Question 16
A web application uses HTTPS with a certificate signed by the organization's internal CA. External customers report certificate trust errors when accessing the application.
What is the MOST likely cause?
A. The HTTPS cipher suite is too weak
B. External clients do not trust the internal CA because it is not in their certificate trust store
C. The certificate uses asymmetric encryption, which external browsers do not support
D. The internal CA's certificate has been revoked by a public root CA
Answer & reasoning
Correct: B
Internal CAs are not included in public trust stores (browsers and operating systems). External customers' browsers will not trust certificates signed by an unknown CA. Public-facing applications require certificates from publicly trusted CAs. All modern browsers support asymmetric encryption, and internal CAs are not managed by public root CAs.
Question 17
A security team implements preventive, detective, and corrective controls for a critical database. The preventive control is access control lists, the detective control is audit logging, and the corrective control is automated account lockout after failed attempts.
A new regulation requires the organization to also implement a deterrent control. What should be added?
A. An intrusion detection system monitoring the database
B. An additional firewall rule restricting database port access
C. Database encryption at rest
D. A login banner warning that unauthorized access is monitored and subject to prosecution
Answer & reasoning
Correct: D
A deterrent control discourages threat actors from attempting unauthorized actions. A warning banner serves this purpose. An IDS is detective, encryption is preventive (confidentiality), and firewall rules are preventive. Deterrent controls target human behavior and decision-making.
Question 18
An organization implements certificate pinning for its mobile banking application. Shortly after deployment, the security team needs to rotate the server certificate due to a compromised private key.
What operational challenge does certificate pinning create in this scenario?
A. The mobile application will reject the new certificate until the app is updated with the new pin
B. Certificate pinning prevents certificate revocation from functioning
C. The compromised key cannot be rotated while pinning is active
D. Pinning conflicts with the TLS handshake and will break all connections
Answer & reasoning
Correct: A
Certificate pinning hardcodes the expected certificate or public key in the application. When the server certificate changes, the mobile app will reject the new certificate as untrusted until an app update includes the new pin. This is a known operational trade-off of pinning: stronger security against MITM attacks but reduced certificate rotation agility.
Question 19
A company's zero trust policy requires micro-segmentation. The network team segments the environment but allows unrestricted lateral movement within each segment.
What principle is being violated?
A. Defense in depth, because only one control layer exists
B. Least privilege, because access within segments should still be restricted to what is necessary
C. Separation of duties, because the network team should not manage segmentation
D. Non-repudiation, because lateral movement cannot be attributed
Answer & reasoning
Correct: B
Zero trust requires least privilege at every level, including within segments. Micro-segmentation without intra-segment access controls simply creates smaller trusted zones, which contradicts the zero trust principle of never granting implicit trust based on network location.
Question 20
An organization uses a hybrid encryption scheme: RSA to exchange a session key, and AES to encrypt the data payload. An auditor questions why two algorithms are needed.
What is the BEST explanation?
A. RSA is used because AES cannot encrypt data securely
B. AES is used for bulk data encryption because it is faster; RSA securely distributes the AES session key
C. RSA and AES must always be used together per PKI standards
D. AES handles authentication while RSA handles encryption
Answer & reasoning
Correct: B
Hybrid encryption leverages the strengths of both: asymmetric (RSA) for secure key exchange and symmetric (AES) for fast bulk data encryption. RSA is computationally expensive for large data, while AES is efficient but requires a shared key. Together they solve both the performance and key distribution problems.
Domain 1 Pattern Summary
In Security+ Domain 1:
- Control category (administrative, technical, physical) is determined by how it is implemented, not what it protects.
- CIA triad questions ask which element is impacted; integrity involves hashing and tampering, confidentiality involves encryption and access, availability involves uptime and redundancy.
- Zero trust eliminates implicit trust; network location never grants access.
- Cryptography questions test symmetric vs. asymmetric selection: key distribution drives the choice.
- PKI issues (trust, revocation, SAN mismatches) almost always require certificate action, not network changes.
- Change management failures require process corrections, not just technical fixes.
- AAA questions distinguish authentication (who), authorization (what), and accounting (tracking).
If an answer jumps to a technical fix without addressing the process or governance gap, it is usually wrong.