B is correct. The annual loss expectancy (ALE) is $2,400. It is calculated as single loss expectancy (SLE) × annual rate of occurrence (ARO). Each failure has resulted in a 10 percent loss (meaning that it cost 10 percent of the asset value to repair it). The SLE is 10 percent of $4,000 ($400), and the ARO is 6. 6 × $400 is $2400.

C is correct. A risk register lists all known risks for an asset, such as a database server, and it typically includes a risk score (the combination of the likelihood of occurrence and the impact of the risk). Risk assessments (including qualitative and quantitative risk assessments) might use a risk register, but they are not risk registers. Residual risk refers to the remaining risk after applying security controls to mitigate a risk.

D is correct. A supply chain assessment evaluates all the elements used to create, sell, and distribute a product. The National Institute of Standards and

Technology (NIST) Risk Management Framework (RMF) (NIST SP 800-

37 r2) provides steps for reducing supply chain risks. Risk assessments (including both quantitative and qualitative risk assessments) evaluate risks, but don’t evaluate the supply chain required to support an e-commerce website. Threat hunting is the process of actively looking for threats within a network before an automated tool detects and reports on the threat.

A and C are correct. Intelligence fusion and advisories and bulletins are part of threat hunting. Threat hunting is the process of actively looking for threats within a network before an automated tool detects and reports on the threat. Vulnerability scans are used as part of a security assessment. Although a history of vulnerability scans and related logs may be part of the intelligence fusion, CompTIA objectives specifically list the following four elements: intelligence fusion, advisories and bulletins, threat feeds, and predictions of how attackers may maneuver though the network. A configuration review verifies that systems are configured correctly.

D is correct. Nmap is a network scanner, and it can detect the protocols and services running on a server. The dnsenum command will enumerate (or list) Domain Name System (DNS) records for domains. An IP scanner detects IPs active on a network but not the services running on the individual hosts. Passive reconnaissance uses open source intelligence (OSINT) instead of active tools.

D is correct. A port scanner identifies open ports on a system and is commonly used to determine what services are running on the system. Vulnerability scanners often include port-scanning capabilities, and they can help identify potential weak configurations. A penetration test attempts to exploit a vulnerability. A protocol analyzer can analyze traffic and discover protocols in use, but this would be much more difficult than using a port scanner. A non-credentialed scan refers to a vulnerability scan, and while a vulnerability scan may reveal services running on a server, it won’t be as specific as a port scan.

A is correct. A false negative occurs if a vulnerability scanner does not report a known vulnerability. A false positive occurs when a vulnerability scanner reports a vulnerability that doesn’t exist. The scenario doesn’t indicate if the scan was run under the context of an account (credentialed) or anonymously (non-credentialed), so these answers aren’t relevant to the question.