CCNA Cysa Vulnerability Management Questions

75 of 139 questions · Page 1/2 · Cysa Vulnerability Management topic · Answers revealed

1
Multi-Selectmedium

A security analyst is prioritizing vulnerabilities for remediation. The analyst has identified several vulnerabilities with CVSS scores, but wants to incorporate additional context to ensure the most critical vulnerabilities are addressed first. Which TWO factors should the analyst consider beyond the CVSS base score? (Choose two.)

Select 2 answers
A.Number of affected assets
B.Vulnerability publication date
C.Vendor patch availability
D.Exploit Prediction Scoring System (EPSS)
E.CISA Known Exploited Vulnerabilities (KEV) catalog
AnswersD, E

EPSS predicts the likelihood of exploitation in the wild.

Why this answer

EPSS provides a probability of exploitation based on real-world data, and KEV is a catalog of known exploited vulnerabilities from CISA. Both give additional context beyond CVSS. Business context is important but is not a standardized scoring system like EPSS or KEV.

2
MCQeasy

A security analyst is reviewing a vulnerability scan report and notices a plugin that identifies a critical vulnerability with a CVSS v3.1 base score of 9.8. The CVSS vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Which attack vector is indicated?

A.Network
B.Adjacent network
C.Local
D.Physical
AnswerA

AV:N stands for network, meaning the attacker can exploit from across the network.

Why this answer

AV:N indicates network attack vector, meaning the vulnerability can be exploited remotely over the network without any physical or local access.

3
MCQhard

A vulnerability management team is evaluating a critical vulnerability in a legacy application that cannot be patched. The application is used by a small number of users internally. Which of the following is the best compensating control to reduce risk?

A.Implement network segmentation to restrict access to the application
B.Enable application whitelisting on all endpoints
C.Encrypt all data in transit
D.Disable the application until a patch is available
AnswerA

Segmentation reduces the attack surface by limiting who can reach the vulnerable application.

Why this answer

When patching is not possible, compensating controls like network segmentation can limit exposure. Disabling the application would impact business. Application whitelisting might be too broad.

Encryption doesn't prevent exploitation of the vulnerability.

4
MCQeasy

An organization is implementing a patch management process. Which of the following is the BEST practice before deploying patches to production systems?

A.Disable automatic updates and deploy patches manually without testing
B.Immediately apply all patches to production to minimize exposure time
C.Test patches in a staging environment that mirrors production
D.Only apply patches that have a CVSS score of 9.0 or higher
AnswerC

Testing in a staging environment verifies patch compatibility and stability.

Why this answer

Testing patches in a staging environment that mirrors production helps identify potential conflicts or issues before deployment, reducing the risk of disruption.

5
Multi-Selectmedium

A security analyst is conducting a vulnerability assessment of a Kubernetes cluster. Which TWO of the following are common misconfigurations that could lead to security risks? (Select TWO.)

Select 2 answers
A.Setting resource limits on containers
B.Configuring network policies to restrict traffic
C.Running containers in privileged mode
D.Using read-only root filesystems
E.Using hostPath mounts
AnswersC, E

Privileged containers have full access to the host.

Why this answer

Privileged containers and hostPath mounts are common Kubernetes misconfigurations that can lead to container breakout and host access.

6
MCQmedium

During a vulnerability scan, an analyst identifies a plugin that reports a vulnerability with a CVSS v3.1 base score of 7.5. The vector string includes AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. Which of the following is the primary impact of this vulnerability?

A.Integrity
B.Scope change
C.Availability
D.Confidentiality
AnswerC

A:H denotes high impact on availability.

Why this answer

The CIA impact ratings show A:H (Availability High), meaning the vulnerability primarily impacts availability. C:N and I:N indicate no impact on confidentiality or integrity.

7
MCQmedium

A vulnerability scanner reports a plugin that identifies a web application vulnerability related to the failure to validate user input, allowing an attacker to inject malicious scripts that execute in other users' browsers. Which OWASP Top 10 category does this vulnerability fall under?

A.Injection
B.Security Misconfiguration
C.Cryptographic Failures
D.Broken Access Control
AnswerA

Correct; XSS is a form of injection where malicious scripts are injected into web pages.

Why this answer

The description matches cross-site scripting (XSS), which is part of the OWASP Top 10 category 'Injection' (formerly separate, but in 2021 XSS is included in Injection).

8
Multi-Selecteasy

A security analyst is selecting tools for vulnerability management. Which THREE of the following are vulnerability scanning tools?

Select 3 answers
A.Lynis
B.Nessus
C.Wireshark
D.Qualys
E.OpenVAS
AnswersB, D, E

Nessus is a vulnerability scanner.

Why this answer

Nessus, Qualys, and OpenVAS are well-known vulnerability scanners. Lynis is a security auditing tool for hardening, but not primarily a vulnerability scanner, and Wireshark is a network protocol analyzer.

9
MCQhard

A security analyst is evaluating a vulnerability with CVSS v3.1 base score: AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:N/A:N. Which of the following best describes the scope and impact of this vulnerability?

A.Scope is unchanged, high impact on confidentiality only
B.Scope is changed, high impact on integrity only
C.Scope is unchanged, high impact on confidentiality and integrity
D.Scope is changed, high impact on confidentiality only
AnswerD

Correct; S:C and C:H with I:N and A:N.

Why this answer

The scope is Changed (S:C), meaning the vulnerable component impacts resources beyond its security scope. The impact is High on confidentiality (C:H), but none on integrity or availability.

10
Multi-Selecthard

A security analyst is reviewing a containerized application for vulnerabilities. The analyst uses a container image scanner and identifies several issues. Which THREE of the following are common container and Kubernetes misconfigurations that the analyst should prioritize? (Choose three.)

Select 3 answers
A.Overly permissive RBAC configurations
B.Keeping container images up to date
C.Running containers with the 'privileged' flag
D.Implementing network policies to restrict pod communication
E.Using hostPath mounts
AnswersA, C, E

Excessive permissions in Kubernetes can lead to privilege escalation or unauthorized access.

Why this answer

Privileged containers grant excessive permissions, hostPath mounts allow host filesystem access, and overly permissive RBAC can lead to unauthorized actions. Keeping containers updated is important but not a misconfiguration, and network policies are a best practice.

11
Multi-Selectmedium

A vulnerability management team is prioritizing vulnerabilities for remediation. They have a list of vulnerabilities with different characteristics. According to best practices, which TWO factors should be considered when prioritizing vulnerabilities? (Select TWO.)

Select 2 answers
A.The CVSS base score
B.The asset's criticality to the business
C.The availability of a patch
D.Whether the vulnerability is listed in the CISA KEV catalog
E.The number of open ports on the asset
AnswersB, D

Correct; asset criticality is a key factor.

Why this answer

Asset criticality (business context) and the presence of known exploits (e.g., KEV) are key prioritization factors. CVSS base score is a factor but not as dynamic. Patch availability is important but secondary to exploitability and business impact.

12
Multi-Selectmedium

A security analyst is performing a vulnerability assessment and needs to identify potential misconfigurations in a Kubernetes cluster. Which TWO of the following are common Kubernetes misconfigurations that should be checked? (Select TWO.)

Select 2 answers
A.Privileged containers
B.Using network policies
C.hostPath mounts
D.Running containers as non-root user
E.Using ConfigMaps for non-sensitive data
AnswersA, C

Privileged containers have full access to host resources.

Why this answer

Privileged containers and hostPath mounts are well-known security risks in Kubernetes. The other options are not typical misconfigurations.

13
MCQmedium

During a vulnerability assessment, a security analyst discovers a web application that is vulnerable to SQL injection. The application is a legacy system that cannot be easily patched. The analyst recommends implementing a web application firewall (WAF) rule to block malicious SQL patterns. Which type of control does this represent?

A.Corrective control
B.Preventive control
C.Detective control
D.Compensating control
AnswerD

WAF compensates for the inability to patch.

Why this answer

A compensating control is an alternative control that mitigates risk when the primary control (patch) cannot be applied.

14
MCQmedium

An organization is implementing configuration management and decides to use CIS Benchmarks to harden their servers. They choose Level 1 benchmarks for most servers but Level 2 for highly sensitive systems. What is the key difference between Level 1 and Level 2 CIS benchmarks?

A.Level 1 is more restrictive and secure than Level 2
B.Level 2 guidelines are more restrictive and may impact system functionality
C.Level 1 is for cloud systems, Level 2 for on-premises
D.Level 2 is only for DoD environments
AnswerB

Correct; Level 2 involves deeper hardening.

Why this answer

CIS Level 1 benchmarks are basic security recommendations that can be implemented with minimal impact, while Level 2 includes more restrictive controls that may affect system functionality but provide higher security.

15
Multi-Selecteasy

A security analyst is setting up a vulnerability management program and needs to select tools for container image scanning. Which THREE of the following are commonly used container image scanning tools? (Select THREE.)

Select 3 answers
A.Snyk
B.OpenVAS
C.Burp Suite
D.Clair
E.Trivy
AnswersA, D, E

Snyk provides container scanning and vulnerability management.

Why this answer

Trivy, Clair, and Snyk are well-known container image scanning tools. OpenVAS is a network vulnerability scanner, and Burp Suite is for web application testing.

16
MCQmedium

A company uses Qualys to scan their internal network. The scan report shows a vulnerability with plugin output indicating that the server is running a version of Apache httpd vulnerable to CVE-2023-1234. The asset is a development web server that is not exposed to the internet. The CVSS score is 7.5 (High). However, the EPSS score is 0.001 (very low). Which of the following should be the primary factor in prioritizing this vulnerability?

A.The CVSS score of 7.5 indicates high severity, so it should be remediated immediately.
B.The EPSS score of 0.001 indicates very low exploitability, so remediation can be delayed.
C.The asset is a development server not exposed to the internet, so remediation should be scheduled during normal maintenance.
D.The vulnerability is in Apache httpd, which is widely used, so it must be patched within 24 hours.
AnswerC

Business context (non-critical, internal exposure) combined with low EPSS suggests scheduled remediation.

Why this answer

Since the EPSS score is very low, the likelihood of exploitation in the wild is minimal. Additionally, the asset is not internet-facing, reducing exposure. The best approach is to consider the business context and asset criticality; development servers may be lower priority.

However, among the options, the EPSS score is a strong indicator of exploitability. But given the low EPSS, the vulnerability might be deprioritized. The question asks for primary factor; business context (asset criticality and exposure) is key.

But options include both EPSS and business context. The answer should be business context because the asset is internal and EPSS low, but business context might still prioritize if critical. However, in this scenario, the development server is likely not critical.

The most appropriate is to consider the business context including asset criticality and exposure.

17
MCQmedium

A web application security tester uses Burp Suite to test an API endpoint. The tester sends a request with a modified HTTP method and discovers that the API accepts DELETE requests on an endpoint that should only allow GET. This is an example of which OWASP Top 10 vulnerability?

A.Injection
B.Security Misconfiguration
C.Server-Side Request Forgery (SSRF)
D.Broken Access Control
AnswerD

Broken access control allows users to perform actions beyond their permissions.

Why this answer

Improper handling of HTTP methods can lead to broken access control, allowing unauthorized actions.

18
MCQhard

An organization uses Qualys for vulnerability scanning. After a scan, the security team identifies a vulnerability with an EPSS score of 0.95 and that appears in the CISA KEV catalog. However, the affected asset is a non-critical development server with no internet access. According to the vulnerability lifecycle, what should be the analyst's NEXT action?

A.Apply a compensating control, such as a firewall rule blocking access to the server.
B.Escalate the vulnerability to management for emergency patching.
C.Document the finding and schedule remediation during the next regular maintenance window.
D.Immediately patch the server within 48 hours due to the high EPSS score.
AnswerC

Business context indicates lower priority, so regular scheduling is appropriate.

Why this answer

Despite high EPSS and KEV listing, the asset's low business context (non-critical, no internet access) reduces risk; the analyst should prioritize based on business context, likely scheduling remediation with lower urgency.

19
MCQhard

During a web application penetration test, a security analyst uses a DAST tool and discovers that the application is vulnerable to Server-Side Request Forgery (SSRF). According to the OWASP Top 10 2021, under which category does SSRF fall?

A.A03: Injection
B.A01: Broken Access Control
C.A06: Vulnerable and Outdated Components
D.A10: Server-Side Request Forgery (SSRF)
AnswerD

OWASP Top 10 2021 includes SSRF as a distinct category.

Why this answer

In OWASP Top 10 2021, SSRF is a new category A10: Server-Side Request Forgery (SSRF).

20
Multi-Selecthard

A security analyst is reviewing a compliance scan report for a DoD environment that uses Security Technical Implementation Guides (STIGs). The report indicates several failures. Which TWO of the following are likely STIG requirements for a Windows 10 system?

Select 2 answers
A.Enable Windows Defender Credential Guard
B.Allow automatic logon with empty password
C.Disable audit log generation for failed logins
D.Enable SMBv1 protocol for compatibility
E.Minimum password length of 14 characters
AnswersA, E

Credential Guard is a STIG requirement to protect credentials.

Why this answer

STIGs often require complex passwords (14+ characters) and disabling legacy protocols like SMBv1 to meet DoD security standards.

21
Multi-Selecthard

A security analyst is reviewing the output of a vulnerability scanner that uses CVSS v3.1. The analyst wants to understand the impact metrics. Which THREE of the following are impact metrics in the CVSS v3.1 base score? (Select THREE.)

Select 3 answers
A.Scope (S)
B.Attack Vector (AV)
C.Confidentiality (C)
D.Availability (A)
E.Integrity (I)
AnswersC, D, E

Confidentiality impact measures data disclosure.

Why this answer

CVSS v3.1 base score includes three impact metrics: Confidentiality (C), Integrity (I), and Availability (A). Attack Vector, Attack Complexity, Privileges Required, etc., are exploitability metrics.

22
Multi-Selecthard

An organization is implementing a patch management process. Which THREE of the following are essential steps that should be included before deploying patches to production systems? (Select the three best answers.)

Select 3 answers
A.Testing patches in a staging environment
B.Reviewing vendor security advisories for patch details
C.Performing regression testing on applications
D.Deploying patches directly to all production systems simultaneously
E.Disabling all security controls to avoid conflicts
AnswersA, B, C

Staging testing validates patches in a replica environment.

Why this answer

Staging environment testing, regression testing, and vendor advisory review are key pre-deployment steps.

23
MCQmedium

A company is implementing a patch management process. Which of the following steps should be performed FIRST after a vendor releases a security patch for a critical vulnerability?

A.Schedule the patch for the next maintenance window
B.Test the patch in a staging environment that mirrors production
C.Deploy the patch to all production servers immediately
D.Create a patch compliance report
AnswerB

Testing ensures compatibility and stability.

Why this answer

Patches should be tested in a staging environment to ensure they do not break critical business functions before deployment.

24
MCQmedium

A security analyst is configuring a compliance scan for a Linux server using CIS Benchmarks. The analyst must ensure the server meets Level 1 benchmarks. Which of the following is a characteristic of CIS Level 1 benchmarks?

A.They are practical and prudent, with a low impact on business functionality
B.They are only applicable to cloud environments
C.They provide specific STIG requirements for DoD systems
D.They are intended for high-security environments and may impact performance
AnswerA

Level 1 focuses on essential security without major operational disruption.

Why this answer

Level 1 benchmarks are foundational and designed to have minimal impact on business operations while improving security.

25
MCQmedium

An organization uses a DAST tool to scan a web application. The scanner reports a finding where user input is reflected in the HTTP response without proper encoding. Which OWASP Top 10 category best describes this vulnerability?

A.Cross-Site Scripting (XSS)
B.Injection
C.Broken Access Control
D.Security Misconfiguration
AnswerA

Reflected XSS is a form of XSS, which is in the OWASP Top 10 as a distinct category.

Why this answer

Reflected XSS occurs when user input is reflected in the response without proper sanitization, leading to script execution. This falls under injection or XSS, but specifically Cross-Site Scripting (XSS) is in the OWASP Top 10 as a type of injection.

26
Multi-Selectmedium

A security team is deploying a new web application and wants to ensure it follows secure configuration practices. Which THREE of the following are recommended configuration settings according to CIS benchmarks for web servers? (Select THREE.)

Select 3 answers
A.Disable directory listing
B.Use HTTP instead of HTTPS
C.Enforce HTTPS
D.Enable automatic directory browsing
E.Remove default accounts
AnswersA, C, E

Prevents information disclosure.

Why this answer

Disabling directory listing, removing default accounts, and enforcing HTTPS are common secure configuration practices recommended by CIS benchmarks.

27
MCQmedium

A security analyst reviews a vulnerability scan report and identifies a critical vulnerability with a CVSS v3.1 base score of 9.8. The attack vector is 'Network', attack complexity is 'Low', privileges required is 'None', user interaction is 'None', scope is 'Unchanged', and all three CIA impacts are 'High'. Which additional factor should the analyst prioritize when deciding whether to apply a patch or a compensating control?

A.The number of affected hosts
B.The EPSS score for the vulnerability
C.The OS type of the affected system
D.The vendor's patch release date
AnswerB

EPSS provides a probability of exploitation, aiding in patch vs. compensating control decisions.

Why this answer

The EPSS score estimates the likelihood of exploitation in the wild, which helps prioritize remediation. CVSS alone does not indicate active exploitation.

28
MCQeasy

During a vulnerability assessment, a security analyst uses Nessus to scan a network. Which type of scan is most appropriate to identify live hosts and open ports without causing significant disruption?

A.Full connect scan
B.TCP SYN scan
C.UDP scan
D.Ping sweep
AnswerB

SYN scan sends a SYN packet and waits for SYN-ACK; it does not complete the handshake, reducing disruption.

Why this answer

A TCP SYN scan is stealthier and less intrusive than a full connect scan, making it suitable for initial discovery.

29
MCQhard

A security analyst is reviewing a vulnerability scan report that includes a plugin output with the following CVSS v3.1 vector: AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H. Which of the following best describes the characteristics of this vulnerability?

A.Easily exploitable by an unauthenticated remote attacker
B.Requires local access, high attack complexity, high privileges, and user interaction
C.Requires physical access to exploit
D.Remotely exploitable with low complexity
AnswerB

The vector components match this description.

Why this answer

The vector indicates local attack vector, high complexity, high privileges required, user interaction required, changed scope, and high impact on all three CIA metrics. This suggests a local privilege escalation vulnerability.

30
MCQeasy

A security analyst is configuring a container image scanning tool. Which of the following tools is specifically designed for container image vulnerability scanning?

A.Nessus
B.Burp Suite
C.OpenVAS
D.Trivy
AnswerD

Trivy is a comprehensive and popular container image vulnerability scanner.

Why this answer

Trivy is a popular open-source tool specifically designed for container image scanning, among others.

31
MCQeasy

A vulnerability management team is prioritizing remediation of a list of vulnerabilities. They want to incorporate the likelihood of exploitation based on real-world exploit activity. Which of the following data sources should they use?

A.CVE
B.CVSS
C.KEV
D.EPSS
AnswerD

EPSS provides a probability score based on real-world exploit activity.

Why this answer

The Exploit Prediction Scoring System (EPSS) uses real-world exploit data to predict the likelihood of exploitation. KEV lists known exploited vulnerabilities but is not a scoring system. CVSS and CVE are not probabilistic.

32
MCQhard

A cybersecurity analyst is configuring a vulnerability scanning policy for a mixed environment of Linux servers and Windows workstations. The analyst wants to minimize disruption to production services while ensuring comprehensive coverage. Which approach is BEST?

A.Deploy agents on all systems to perform continuous scanning
B.Scan all systems simultaneously with minimal plugin set to avoid performance issues
C.Use separate scan windows for Linux servers and Windows workstations with appropriate credentials and performance tuning
D.Schedule a single scan of all systems using default credentials and aggressive plugin settings
AnswerC

Separate schedules reduce load, and tailored credentials improve accuracy.

Why this answer

Using separate scan windows and credentials for each OS type minimizes disruption by scanning similar systems together and reduces load, while tailored credential profiles improve scan accuracy.

33
Multi-Selecthard

A security analyst is reviewing the results of a web application vulnerability scan and needs to identify the vulnerabilities that are part of the OWASP Top 10 (2021) category 'Injection'. Which THREE of the following vulnerabilities fall under this category? (Select THREE.)

Select 3 answers
A.SQL injection
B.OS command injection
C.Broken Access Control
D.Cross-Site Scripting (XSS)
E.Security Misconfiguration
AnswersA, B, D

Correct; SQL injection is an injection flaw.

Why this answer

SQL injection, Cross-Site Scripting (XSS), and OS command injection are all types of injection flaws. XXE is also injection, but it is often listed separately; however, in OWASP Top 10 2021, Injection includes XSS, SQL injection, etc. Broken access control is a separate category.

34
MCQeasy

A security analyst is using the EPSS to prioritize vulnerabilities for remediation. EPSS is designed to estimate the likelihood that a vulnerability will be exploited in the wild. Which of the following best describes how EPSS should be used in vulnerability management?

A.EPSS is only relevant for high-severity vulnerabilities with a CVSS score above 9.0.
B.EPSS replaces the need for vulnerability scanning because it predicts exploitability.
C.EPSS alone should determine the remediation order, ignoring asset criticality.
D.EPSS should be used as one of several factors in a risk-based prioritization approach.
AnswerD

EPSS is a data point to inform prioritization, along with asset criticality, exposure, and other factors.

Why this answer

EPSS provides a probability score (0-1) that a vulnerability will be exploited in the wild within 30 days. It should be used alongside other factors like asset criticality and business context for prioritization.

35
MCQhard

A security analyst is evaluating a containerized application for vulnerabilities. The analyst runs Trivy on the container image and finds several high-severity vulnerabilities in the base image. Which of the following is the most effective remediation strategy?

A.Use a runtime security tool to monitor the container
B.Apply a host-based firewall to block exploitation attempts
C.Rebuild the image using a patched base image and redeploy
D.Disable the container until a patch is available
AnswerC

This removes the vulnerabilities at the source.

Why this answer

Rebuilding the container image with a patched base image addresses the root cause by eliminating vulnerable components.

36
MCQhard

A security analyst is investigating a Kubernetes cluster and finds that a container is running with securityContext.privileged: true. The container also has a hostPath mount that allows writing to the host filesystem. Which of the following best describes the primary risk of this configuration?

A.The container can only read host files, but not modify them.
B.The container can only affect other containers in the same pod, not the host.
C.The container can be used to launch a denial-of-service attack on the Kubernetes API server.
D.The container can break out of the container environment and gain root access to the host node.
AnswerD

Privileged mode gives nearly all capabilities, and hostPath mount provides access to host filesystem.

Why this answer

A privileged container with hostPath mount can escape the container and compromise the host. The container can access host resources, potentially allowing full host compromise.

37
MCQeasy

During a vulnerability scan, a security analyst identifies a critical vulnerability with a CVSS v3.1 base score of 9.8. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Which component of this vector indicates that the vulnerability can be exploited without any user interaction?

A.AC:L
B.AV:N
C.PR:N
D.UI:N
AnswerD

UI:N means no user interaction is required for exploitation.

Why this answer

The UI (User Interaction) metric in the CVSS vector is set to N (None), meaning no user action is required for exploitation.

38
MCQmedium

An analyst is reviewing a Nessus scan report and sees a plugin result that indicates a web application is vulnerable to SQL injection. The plugin output includes the payload used and the database error message. Which OWASP Top 10 category does this vulnerability belong to?

A.A03:2021 – Injection
B.A07:2021 – Identification and Authentication Failures
C.A09:2021 – Security Logging and Monitoring Failures
D.A01:2021 – Broken Access Control
AnswerA

SQL injection is a type of injection attack.

Why this answer

SQL injection is a classic injection flaw, which falls under OWASP Top 10 category 'A03:2021 – Injection' (or A1 in older versions).

39
MCQmedium

A security team is implementing configuration management for a set of Linux servers in a non-DoD environment. They want to apply a security baseline that provides a balanced approach between security and operational efficiency. Which of the following would be most appropriate?

A.CIS Level 1 Benchmark
B.OWASP Top 10
C.CIS Level 2 Benchmark
D.STIG for Linux
AnswerA

CIS Level 1 provides a balanced security posture with minimal operational impact.

Why this answer

CIS Benchmarks offer two levels: Level 1 is intended for environments where usability is still a priority, and Level 2 is for high-security environments. For a non-DoD environment, CIS Level 1 is appropriate.

40
MCQmedium

A security analyst is configuring a container scanning tool to identify vulnerabilities in Docker images before deployment. Which of the following tools is specifically designed for container image vulnerability scanning?

A.Burp Suite
B.Nessus
C.Trivy
D.OpenVAS
AnswerC

Trivy is purpose-built for container scanning.

Why this answer

Trivy is an open-source vulnerability scanner for container images, filesystems, and Git repositories.

41
MCQmedium

An analyst is prioritizing vulnerabilities for remediation. The vulnerability has a high CVSS score but is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog and has a low EPSS score. The affected asset is a publicly accessible web server handling sensitive customer data. Which factor should the analyst consider as most critical for prioritization?

A.The absence from the KEV catalog
B.The business context of asset criticality and exposure
C.The low EPSS score
D.The high CVSS score alone
AnswerB

Correct; asset criticality and exposure are key prioritization factors.

Why this answer

EPSS indicates likelihood of exploitation, but business context (asset criticality and exposure) can override low EPSS if the asset is high-value and exposed. Thus, the analyst should consider the business context.

42
MCQmedium

An analyst uses Trivy to scan a container image in a CI/CD pipeline. The scan identifies a vulnerability in an open-source library included in the image. The library is not used by the application code. Which of the following actions should the analyst recommend?

A.Accept the risk because the library is not used
B.Add a web application firewall (WAF) to protect the container
C.Remove the unused library from the image
D.Patch the library to the latest version
AnswerC

Removing unused components eliminates the vulnerability.

Why this answer

Unused components should be removed to reduce attack surface. Patching the library might be unnecessary if not used. Adding a WAF doesn't fix container image vulnerabilities.

Accepting risk may be justified but removal is better.

43
Multi-Selectmedium

A security analyst is reviewing the output of a vulnerability scan and sees a finding for a web application that uses a known vulnerable version of Apache Struts. Which TWO of the following actions should the analyst prioritize?

Select 2 answers
A.Remove the Apache Struts component entirely
B.Reboot the web server to clear memory
C.Update Apache Struts to the latest patched version
D.Disable the web application until further notice
E.Implement a WAF rule to block known exploit patterns
AnswersC, E

Patching is the primary remediation action.

Why this answer

Updating the component to a patched version is the primary remediation. If a patch is not immediately available, a WAF rule can provide temporary protection.

44
MCQmedium

A company uses Lynis for compliance scanning on Linux servers. During a scan, Lynis reports that the system has world-writable files in critical directories. Which CIS Benchmark recommendation does this finding relate to?

A.Ensure no world-writable files exist
B.Ensure system is configured to forward logs to a central server
C.Ensure permissions on /etc/shadow are configured
D.Ensure separate partition exists for /tmp
AnswerA

CIS Benchmark directly addresses world-writable files.

Why this answer

CIS Benchmarks include recommendations to restrict file permissions, such as ensuring no world-writable files exist in system directories.

45
MCQeasy

Which vulnerability scanner is an open-source tool commonly used for network vulnerability scanning?

A.OpenVAS
B.Qualys
C.Nessus
D.Rapid7 InsightVM
AnswerA

OpenVAS is an open-source vulnerability scanner.

Why this answer

OpenVAS is a well-known open-source vulnerability scanner.

46
Multi-Selectmedium

A company uses a patch management tool to track compliance across its server fleet. The security team needs to prioritize vulnerabilities for patching. Which THREE factors should be considered when prioritizing?

Select 3 answers
A.EPSS probability score
B.Asset criticality and exposure
C.Availability of a patch from the vendor
D.CVSS base score
E.Number of plugins that detected the vulnerability
AnswersA, B, D

EPSS predicts exploitation likelihood.

Why this answer

CVSS score indicates severity, EPSS estimates exploitation likelihood, and asset criticality reflects business impact. Patch availability is more about remediation capability than prioritization.

47
MCQhard

A cloud security analyst is reviewing a misconfiguration in an AWS S3 bucket that allows public read access. The bucket contains sensitive customer data. Which of the following CIS AWS Foundations Benchmark checks would most likely identify this issue?

A.Enable default encryption for S3 buckets
B.Enable S3 bucket logging
C.Enable versioning on S3 buckets
D.Ensure S3 buckets do not allow public read access
AnswerD

This directly addresses the misconfiguration.

Why this answer

CIS AWS Foundations Benchmark includes a control for ensuring S3 buckets do not allow public read access. The control is typically '1.5 Ensure S3 bucket policy restricts public read access'. 'Enable S3 bucket logging' is about logging, not access. 'Enable default encryption' is about encryption. 'Enable versioning' is about data protection.

48
MCQmedium

A security analyst is configuring a vulnerability scan using OpenVAS. The scan should identify missing patches on Windows servers. Which of the following scan types should the analyst select?

A.Credentialed scan
B.Passive scan
C.Unauthenticated scan
D.Port scan
AnswerA

Credentialed scans use credentials to log in and check patch status.

Why this answer

OpenVAS uses authenticated scans to check for missing patches. Unauthenticated scans only detect open ports and services. A credentialed scan with valid credentials allows checking patch levels.

49
Multi-Selectmedium

A security analyst is using OpenVAS to scan a network. The scan identifies several vulnerabilities. Which TWO of the following are valid components of a CVSS v3.1 base score? (Select the two correct answers.)

Select 2 answers
A.Exploitability (E)
B.Confidence (C)
C.Remediation Level (RL)
D.Scope (S)
E.Attack Vector (AV)
AnswersD, E

Scope is a base metric.

Why this answer

Attack Vector and Scope are both part of the CVSS v3.1 base score.

50
Multi-Selecthard

A security analyst is performing a cloud security assessment for an AWS environment. Which THREE of the following configurations would be considered CIS AWS Foundations Benchmark violations?

Select 3 answers
A.Password policy does not require any complexity (lowercase only)
B.IAM password policy with minimum length of 8 characters and requires at least one uppercase letter
C.CloudTrail is not enabled in any region
D.S3 bucket with public read access for all objects
E.Root account has MFA enabled
AnswersA, C, D

CIS requires a strong password policy with complexity requirements.

Why this answer

CIS AWS Foundations Benchmark includes requirements for IAM password policy, CloudTrail logging, and root account security. MFA on root account is a best practice, but not having it is a violation. Disabling CloudTrail is a violation.

A permissive password policy (no complexity) is a violation.

51
MCQmedium

A security analyst is reviewing a Kubernetes cluster configuration. Which of the following misconfigurations poses the MOST severe security risk?

A.Using hostPath mounts with read-only access
B.Using ConfigMaps for non-sensitive data
C.Privileged containers with unrestricted host access
D.Running containers as non-root user
AnswerC

Privileged containers can escape to the host, leading to full compromise.

Why this answer

Privileged containers bypass all security restrictions and can access the host system, posing the most severe risk.

52
Multi-Selectmedium

A security analyst is prioritizing vulnerabilities for a critical internet-facing application server. The analyst has CVSS scores, EPSS scores, and access to the CISA KEV catalog. Which TWO factors should the analyst consider as the most important for determining remediation priority? (Select TWO)

Select 2 answers
A.Asset criticality and business context
B.CVSS base score
C.Number of plugins detecting the vulnerability
D.EPSS score
E.CISA Known Exploited Vulnerabilities (KEV) catalog
AnswersA, E

Critical internet-facing server requires higher priority.

Why this answer

Asset criticality and business context are crucial because the server is critical and internet-facing. KEV indicates known exploitation, which is also important. However, the question asks for two.

The best two are asset criticality (since it's critical) and known exploitation (KEV). CVSS alone doesn't account for exploitability context.

53
MCQeasy

A security analyst is reviewing vulnerability scan results and notices that a critical vulnerability on a web server has a CVSS v3.1 base score of 9.8 with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Which component of the CVSS vector indicates that the vulnerability can be exploited from a remote network?

A.PR:N
B.AV:N
C.AC:L
D.UI:N
AnswerB

AV:N denotes network-based attack vector, meaning exploitable remotely.

Why this answer

AV stands for Attack Vector. AV:N means the vulnerability is exploitable over a network, indicating remote exploitation.

54
MCQhard

A security team is using EPSS scores and CISA KEV catalog to prioritize vulnerabilities. Which combination of factors would indicate the HIGHEST priority for remediation?

A.Medium CVSS score and high asset criticality
B.High EPSS score and presence in KEV catalog
C.High CVSS score and low EPSS score
D.Low CVSS score and presence in KEV catalog
AnswerB

Both factors indicate active exploitation and high likelihood of exploitation, making this the highest priority.

Why this answer

CISA KEV catalog contains vulnerabilities known to be exploited in the wild, and a high EPSS score indicates a high probability of exploitation. Together, they indicate the highest priority.

55
MCQhard

A security analyst is using Nessus to scan a network. The scan completes and reports a vulnerability with a CVSS v3.1 base score of 5.3 and vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The vulnerability is a low-information disclosure issue that reveals the server's internal IP address in HTTP headers. The asset is a public-facing web server. Which of the following best describes the risk level and appropriate response?

A.Low risk; no action needed because internal IP disclosure is not a vulnerability.
B.Critical risk because the server is public-facing; immediate patching is required.
C.Medium risk; schedule a configuration change to remove the header during the next maintenance window.
D.High risk due to public exposure; apply an emergency patch to hide the header.
AnswerC

The risk is medium, and the fix is a configuration change that can be scheduled.

Why this answer

The CVSS score is 5.3 (Medium) with low impact on confidentiality and no impact on integrity or availability. Although it is a public-facing server, the risk is low because the information disclosed is minimal (internal IP), which may already be known or easily guessable. The appropriate response is to schedule remediation during normal maintenance, not an emergency.

56
MCQmedium

A security analyst is reviewing the results of a vulnerability scan and notices that several vulnerabilities have high CVSS scores but low EPSS scores. The analyst also cross-references the CISA Known Exploited Vulnerabilities (KEV) catalog and finds that none of these vulnerabilities are listed. Which approach should the analyst take when prioritizing remediation?

A.Remediate vulnerabilities with high CVSS scores only if they are internet-facing.
B.Prioritize based on EPSS scores and KEV status, but also consider business context.
C.Remediate only vulnerabilities found in the KEV catalog.
D.Remediate all vulnerabilities with CVSS scores above 9.0 immediately.
AnswerB

EPSS and KEV provide real-world exploitation context, and business context ensures critical assets are protected.

Why this answer

EPSS predicts the likelihood of exploitation, and KEV lists vulnerabilities known to be exploited in the wild. High CVSS but low EPSS and not in KEV suggests the vulnerability may be severe but unlikely to be exploited currently. However, business context such as asset criticality and exposure should be considered; if the asset is critical and exposed, remediation should still be prioritized despite low exploitation likelihood.

57
Multi-Selectmedium

A security analyst is prioritizing vulnerabilities discovered during a scan. Which TWO factors should the analyst consider as part of business context to determine remediation priority? (Select TWO.)

Select 2 answers
A.Asset exposure
B.CVSS base score
C.Patch availability
D.Exploit availability
E.Asset criticality
AnswersA, E

Exposure determines likelihood of attack.

Why this answer

Asset criticality (how important the asset is to the business) and exposure (whether the asset is internet-facing or accessible to attackers) are key business context factors.

58
MCQeasy

During a vulnerability scan, a security analyst identifies a critical vulnerability with a CVSS v3.1 base score of 9.8. The attack vector is network, attack complexity is low, privileges required are none, user interaction is none, and the impact to confidentiality, integrity, and availability is high. Which CVSS vector string represents this vulnerability?

A.CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
B.CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
C.CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
D.CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AnswerA

Correct vector for the described metrics.

Why this answer

The CVSS v3.1 vector string follows the format CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H for a network-attack vector, low complexity, no privileges, no user interaction, unchanged scope, and high impact on all three CIA metrics.

59
MCQmedium

A security analyst is reviewing a vulnerability scan report and notices a critical vulnerability with a CVSS v3.1 base score of 9.8. The vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Which of the following best describes the attack vector and the scope impact?

A.Attack vector: Network; Scope: Unchanged
B.Attack vector: Network; Scope: Changed
C.Attack vector: Local; Scope: Changed
D.Attack vector: Adjacent; Scope: Unchanged
AnswerA

AV:N means network attack vector, S:U means unchanged scope.

Why this answer

The CVSS vector AV:N indicates a network attack vector, meaning the vulnerability can be exploited remotely over a network. S:U indicates an unchanged scope, meaning the exploitation cannot affect resources beyond the security authority of the vulnerable component.

60
MCQhard

A security analyst is reviewing a vulnerability scan of a Kubernetes cluster. The scan reports that a container is running with privileged mode enabled. Which CIS Kubernetes Benchmark recommendation does this violation relate to?

A.Ensure that containers are not running with privileged access
B.Ensure that the cluster-admin role is not used
C.Ensure that the API server is not exposed to the internet
D.Ensure that etcd is configured with TLS
AnswerA

Correct; privileged containers are a security risk and are discouraged by CIS benchmarks.

Why this answer

The CIS Kubernetes Benchmark includes a recommendation to avoid running containers with privileged access, as it increases security risks. This is a common misconfiguration.

61
MCQmedium

During a patch management process, a security analyst is testing a critical security patch in a staging environment. The patch is intended to fix a remote code execution vulnerability in a widely used application. What is the MOST important step before deploying to production?

A.Check the patch's CVSS score
B.Verify the patch's digital signature
C.Automatically deploy to all production servers immediately
D.Perform regression testing to ensure no breakage
AnswerD

Regression testing validates that existing functionality still works.

Why this answer

Performing regression testing ensures that the patch does not introduce new issues or break existing functionality, which is critical before production deployment.

62
MCQmedium

An organization uses a DAST tool to test a web application for vulnerabilities. The tool sends specially crafted requests and analyzes responses. Which of the following vulnerabilities is a DAST tool most effective at identifying?

A.Outdated library versions in code
B.Insecure cryptographic algorithms in code
C.Hardcoded credentials in source code
D.SQL injection
AnswerD

Correct; DAST can detect SQL injection by sending malicious input and analyzing responses.

Why this answer

DAST tools are effective at finding runtime vulnerabilities like SQL injection, XSS, and other injection flaws by simulating attacks on the running application.

63
MCQmedium

A security analyst is using OpenSCAP to perform a compliance scan against a set of RHEL servers. The analyst wants to ensure the servers comply with the CIS Benchmark Level 1 for Red Hat Enterprise Linux. What does Level 1 typically indicate?

A.A custom profile defined by the organization
B.A set of security controls that are considered best practices with minimal impact on functionality
C.The most secure configuration possible
D.Configuration settings that are required for DoD environments
AnswerB

Level 1 is designed to be practical with low operational impact.

Why this answer

CIS Benchmarks define Level 1 as basic security requirements that can be implemented with minimal impact on functionality, while Level 2 includes more stringent controls.

64
MCQmedium

A vulnerability management team is evaluating whether to apply a patch immediately or implement a compensating control. The patch is for a vulnerability in a legacy system that cannot be taken offline during business hours. The compensating control would involve restricting network access to the system. Which decision is MOST appropriate?

A.Ignore the vulnerability since it affects a legacy system
B.Remove the system from the network
C.Implement a compensating control and schedule patching during a maintenance window
D.Apply the patch immediately despite the outage risk
AnswerC

This balances risk and availability.

Why this answer

If the system cannot be patched immediately, implementing a compensating control (network restriction) reduces risk while waiting for a maintenance window.

65
MCQeasy

An organization uses CIS Benchmarks to secure its Linux servers. The security team applies Level 1 benchmarks. Which of the following best describes Level 1 CIS benchmarks?

A.Advanced security settings that may reduce functionality
B.Required for all internet-facing systems
C.Basic security configurations with minimal operational impact
D.Only applicable to DoD environments
AnswerC

Level 1 is intended to be easy to implement with little to no impact.

Why this answer

CIS Level 1 benchmarks are basic security configurations that cause minimal disruption to business operations. Level 2 is more restrictive and may impact functionality.

66
Multi-Selectmedium

A security analyst is using Burp Suite to test a web application for vulnerabilities. Which TWO of the following are common web application vulnerabilities that can be detected using Burp Suite? (Select TWO)

Select 2 answers
A.Buffer overflow
B.Insecure deserialization
C.Cross-site scripting (XSS)
D.Race condition
E.SQL injection
AnswersC, E

XSS is a common web vulnerability detectable by Burp.

Why this answer

Burp Suite can detect SQL injection and XSS through its scanner and manual testing tools. Buffer overflow and race conditions are typically not web application vulnerabilities detected by web proxies. Insecure deserialization can be detected but is less common than SQLi and XSS.

67
MCQmedium

A security analyst is prioritizing vulnerabilities for remediation. One vulnerability has a CVSS v3.1 score of 7.5, an EPSS score of 0.02, and is not in the CISA KEV catalog. Another vulnerability has a CVSS score of 5.0, an EPSS score of 0.85, and is listed in the KEV catalog. Which vulnerability should be prioritized FIRST?

A.The vulnerability with CVSS 7.5
B.Both should be prioritized equally
C.Neither should be prioritized until a full risk assessment is done
D.The vulnerability with CVSS 5.0
AnswerD

High EPSS and presence in KEV indicate active exploitation risk.

Why this answer

EPSS and KEV catalog provide real-world exploit intelligence. The vulnerability with high EPSS and KEV is more likely to be exploited, so it should be prioritized despite lower CVSS.

68
MCQeasy

Which tool is specifically designed to check Linux systems for compliance with security best practices and can be used for configuration auditing?

A.Burp Suite
B.OpenVAS
C.Nessus
D.Lynis
AnswerD

Lynis audits system configurations and security controls on Linux.

Why this answer

Lynis is a security auditing tool for Linux/Unix systems that performs compliance checks and configuration reviews.

69
MCQeasy

Which of the following tools is specifically designed for compliance scanning against security benchmarks on Linux systems?

A.OpenVAS
B.Nessus
C.Lynis
D.Qualys
AnswerC

Lynis is a security auditing tool that performs compliance checks.

Why this answer

Lynis is a security auditing tool for Linux/Unix that checks compliance with benchmarks. OpenSCAP is also a compliance scanner, but Lynis is more commonly used for initial audits. Nessus is a vulnerability scanner, not solely compliance.

Qualys is a cloud-based vulnerability management platform.

70
MCQmedium

An organization wants to prioritize vulnerabilities based on the likelihood of exploitation. Which of the following sources provides a data-driven probability score for exploitation?

A.CVSS v3.1
B.EPSS
C.CIS Benchmarks
D.OWASP Top 10
AnswerB

EPSS provides a probability score for exploitation.

Why this answer

EPSS uses real-world data to predict the probability of exploitation, aiding in prioritization.

71
MCQeasy

During a vulnerability assessment, a security analyst uses a tool that identifies missing patches and misconfigurations based on CIS Benchmarks. Which of the following tools is specifically designed for compliance scanning against CIS benchmarks?

A.OpenSCAP
B.Qualys
C.Nessus
D.OpenVAS
AnswerA

Correct; OpenSCAP is a compliance scanning tool that validates against security benchmarks like CIS.

Why this answer

OpenSCAP is a compliance scanning tool that can assess systems against security benchmarks such as CIS. It validates compliance with security policies.

72
MCQeasy

A security analyst is reviewing the results of a vulnerability scan. The analyst sees a plugin output that includes the CVSS vector string AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. What is the base score of this vulnerability?

A.6.5
B.9.8
C.10.0
D.7.5
AnswerB

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H yields a base score of 9.8 in CVSS v3.1.

Why this answer

The vector indicates Network attack vector, Low attack complexity, No privileges required, No user interaction, Unchanged scope, and High impact on Confidentiality, Integrity, and Availability. For CVSS v3.1, this corresponds to a base score of 9.8 (Critical).

73
MCQmedium

A security team is implementing CIS Benchmarks for a Linux server. They need to choose between Level 1 and Level 2 benchmarks. Which of the following best describes Level 1 benchmarks?

A.They are basic security settings that can be implemented with minimal disruption
B.They are mandatory for compliance with DoD STIGs
C.They are the most restrictive settings, suitable for high-security environments
D.They include advanced settings that require extensive testing
AnswerA

Level 1 is designed to be a practical, easy-to-implement baseline.

Why this answer

CIS Level 1 benchmarks are intended to provide a baseline security configuration without causing significant operational impact.

74
MCQhard

During a web application penetration test using Burp Suite, a security analyst identifies that an API endpoint accepts a URL parameter that is used to fetch data from an external resource. The application does not validate or sanitize the parameter. This is most likely vulnerable to which attack?

A.SQL injection
B.Server-Side Request Forgery (SSRF)
C.Cross-site scripting (XSS)
D.XML External Entity (XXE)
AnswerB

SSRF exploits the server to make unauthorized requests to internal or external resources.

Why this answer

Server-Side Request Forgery (SSRF) occurs when an attacker can induce the server to make requests to arbitrary URLs, often by manipulating a URL parameter.

75
MCQeasy

Which of the following vulnerability lifecycle phases involves verifying that a remediation has been successfully applied and that the vulnerability no longer exists?

A.Discovery
B.Prioritization
C.Remediation
D.Verification
AnswerD

Correct; verification confirms the fix was effective.

Why this answer

Verification is the phase where after remediation, the system is rescanned or checked to confirm the vulnerability is mitigated.

Page 1 of 2 · 139 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cysa Vulnerability Management questions.