CCNA Cysa Vulnerability Management Questions

64 of 139 questions · Page 2/2 · Cysa Vulnerability Management topic · Answers revealed

76
Multi-Selectmedium

A security analyst is evaluating a Kubernetes cluster for misconfigurations. Which TWO of the following are common Kubernetes misconfigurations that increase security risk? (Select the two best answers.)

Select 2 answers
A.Running containers as non-root user
B.Using hostPath mounts
C.Using privileged containers
D.Enabling Role-Based Access Control (RBAC)
E.Implementing network policies to restrict traffic
AnswersB, C

hostPath mounts allow container access to host filesystem.

Why this answer

Privileged containers and hostPath mounts are known high-risk misconfigurations in Kubernetes.

77
MCQmedium

A company uses a configuration management tool to enforce CIS Benchmarks on its servers. The security team wants to apply Level 1 benchmarks to all servers to achieve a baseline security posture. Which of the following best describes the difference between CIS Level 1 and Level 2 benchmarks?

A.Level 1 benchmarks are for Linux systems, while Level 2 benchmarks are for Windows systems.
B.Level 1 benchmarks are basic security measures that do not impact system performance, while Level 2 benchmarks are more restrictive and may affect performance or usability.
C.Level 1 benchmarks are for servers, while Level 2 benchmarks are for workstations.
D.Level 1 benchmarks are mandatory, while Level 2 benchmarks are optional.
AnswerB

This accurately describes the intended outcome.

Why this answer

CIS Level 1 benchmarks are intended to provide a clear security benefit without significantly impacting functionality or performance. Level 2 benchmarks provide more stringent security but may reduce functionality or require additional operational effort.

78
MCQmedium

During a web application security assessment using OWASP ZAP, a tester identifies that the application reflects user input in HTTP responses without proper encoding. Which OWASP Top 10 vulnerability category does this finding most likely belong to?

A.Broken Access Control
B.Cryptographic Failures
C.Security Misconfiguration
D.Injection
AnswerD

XSS is a type of injection where untrusted data is included in output.

Why this answer

Reflected user input in responses without encoding is a classic sign of Cross-Site Scripting (XSS), which falls under injection in OWASP Top 10 (though XSS is specifically listed as a separate category in some versions, but in 2021 it is under injection).

79
MCQmedium

An organization is implementing a patch management process for servers. Which of the following is a crucial step that should be performed before deploying patches to production servers?

A.Immediately apply the patch to all systems to minimize exposure
B.Review the CVSS score to decide if the patch is necessary
C.Verify patch compliance by checking the vendor's advisory
D.Test the patch in a staging environment that closely mirrors production
AnswerD

Testing ensures stability before production rollout.

Why this answer

Testing patches in a staging environment that mirrors production helps identify issues that could cause outages or incompatibilities.

80
MCQhard

A cloud security team is using a container image scanning tool and finds a vulnerability in a base image used by many containers. The vulnerability is rated CVSS 7.5 and has a high EPSS score. However, rebuilding all containers with a patched base image will take significant time. What is the best immediate action?

A.Wait for the next scheduled rebuild cycle to patch the base image.
B.Apply a hotfix or workaround to the affected package in running containers.
C.Increase network segmentation to limit exposure from the vulnerability.
D.Remove all containers using the vulnerable base image immediately.
AnswerB

Provides immediate protection while planning full rebuild.

Why this answer

With high exploitability (EPSS), immediate action is needed. Applying a hotfix or workaround, such as updating the affected package in running containers, reduces risk while a full rebuild is planned.

81
MCQmedium

During a vulnerability assessment, a security analyst runs a scan using OpenVAS and reviews the results. One finding indicates a plugin with ID 12345 that detects a missing patch for CVE-2023-1234 on a Linux server. The server is a critical domain controller. Which step of the vulnerability lifecycle is the analyst currently performing?

A.Remediation
B.Prioritization
C.Discovery
D.Verification
AnswerC

Running a scan and reviewing results is part of discovering vulnerabilities.

Why this answer

The analyst is identifying vulnerabilities via scanning, which is the discovery phase. Prioritization, remediation, and verification come later.

82
MCQeasy

Which of the following is the BEST description of configuration drift?

A.A planned change to a system's configuration
B.The process of reverting a system to its baseline configuration
C.The gradual deviation of a system's configuration from the intended baseline
D.A vulnerability that is patched and then reappears
AnswerC

Drift is unplanned configuration changes over time.

Why this answer

Configuration drift refers to the gradual change in system configurations over time, causing deviations from the baseline or security standards.

83
MCQmedium

A security analyst is configuring a vulnerability scanner for a new deployment. The scanner must be able to authenticate to targets to perform deep configuration audits against CIS Benchmarks. Which type of scan should the analyst configure?

A.Credentialed scan
B.Unauthenticated scan
C.Passive scan
D.External scan
AnswerA

Credentialed (authenticated) scans allow the scanner to log in and check configurations.

Why this answer

Authenticated scans use credentials to access the target and perform deep configuration checks, such as CIS Benchmark compliance.

84
MCQmedium

During a patch management process, a security analyst is testing a critical security patch in a staging environment. The patch causes a regression in a key business application. Which of the following should the analyst do next?

A.Apply the patch to production but roll back if issues occur
B.Skip the patch and accept the risk
C.Deploy the patch to production and monitor for issues
D.Report the regression to the vendor and wait for a fixed patch
AnswerD

Proper procedure is to inform vendor and obtain a corrected patch.

Why this answer

If regression occurs, the patch should not be deployed to production. The analyst should report the issue to the vendor and seek a fix. Deploying anyway could cause outages.

Skipping the patch might leave systems vulnerable, but the regression must be addressed first.

85
MCQeasy

Which of the following tools is specifically designed for compliance scanning against security benchmarks such as CIS and STIG?

A.OpenVAS
B.Nessus
C.OpenSCAP
D.Trivy
AnswerC

OpenSCAP is used for security compliance checking.

Why this answer

OpenSCAP is a compliance scanning tool that can assess systems against SCAP content, including CIS and STIG benchmarks.

86
MCQeasy

Which of the following best describes the purpose of the CISA Known Exploited Vulnerabilities (KEV) catalog in vulnerability management?

A.It lists vulnerabilities that are known to have been exploited in the wild
B.It provides a framework for conducting penetration tests
C.It provides a scoring system for vulnerability severity
D.It offers a database of configuration baselines for operating systems
AnswerA

KEV catalog focuses on actively exploited vulnerabilities.

Why this answer

The KEV catalog is a list of vulnerabilities that have been actively exploited in the wild, published by CISA to help organizations prioritize patching.

87
MCQhard

A security analyst discovers a critical vulnerability in a web application that allows an attacker to trigger server-side requests from the application server. Which OWASP Top 10 category does this vulnerability belong to?

A.Broken Access Control
B.Security Misconfiguration
C.Injection
D.Server-Side Request Forgery (SSRF)
AnswerD

The description matches SSRF.

Why this answer

Server-Side Request Forgery (SSRF) is a distinct category in OWASP Top 10 (A10:2021).

88
MCQmedium

A security analyst is using Qualys to perform a vulnerability scan on a public-facing web server. The scan results show that the server is running an outdated version of Apache HTTP Server with multiple known vulnerabilities. The analyst checks the vendor security advisories and finds that a patch was released three months ago. However, the server is in a staging environment and not yet in production. What should the analyst recommend?

A.Only patch if the vulnerability is rated critical.
B.Patch the server immediately because it poses a risk to the staging network.
C.Do not patch because the server is not in production.
D.Wait until the server moves to production to patch.
AnswerB

Staging environments can be attacked and should be secured.

Why this answer

Even in staging, vulnerabilities should be patched to maintain security posture and to ensure that when the server moves to production, it is secure. Staging environments should mirror production security.

89
MCQmedium

A vulnerability scanner reports a finding with a CVSS v3.1 base score of 7.5 and vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. What does this indicate about the vulnerability?

A.It has high impact on integrity
B.It requires authentication to exploit
C.It has high impact on confidentiality
D.It has high impact on availability
AnswerD

A:H indicates high availability impact.

Why this answer

The vector shows high impact to availability (A:H) and no impact to confidentiality or integrity, so the vulnerability primarily affects availability.

90
MCQmedium

A security analyst is using Burp Suite to test an API endpoint. The analyst notices that the API returns detailed error messages when invalid input is provided, revealing database schema information. Which OWASP Top 10 category does this issue primarily relate to?

A.Injection
B.Security Misconfiguration
C.Broken Access Control
D.Cryptographic Failures
AnswerB

Verbose error messages are a classic security misconfiguration that can leak sensitive information.

Why this answer

Detailed error messages revealing internal details are a form of security misconfiguration. The OWASP Top 10 category 'Security Misconfiguration' includes verbose error messages that leak information.

91
Multi-Selecteasy

A security analyst is using a vulnerability scanner to identify missing patches on Windows servers. The scanner uses plugins that reference Common Vulnerabilities and Exposures (CVE) identifiers. Which THREE of the following are components of a CVSS v3.1 base score vector?

Select 3 answers
A.Attack Vector (AV)
B.Confidentiality (C)
C.Privileges Required (PR)
D.Remediation Level (RL)
E.Exploitability (E)
AnswersA, B, C

AV is a base metric.

Why this answer

Attack Vector (AV), Privileges Required (PR), and Confidentiality (C) are all part of the CVSS v3.1 base metric group.

92
MCQhard

An organization uses OpenSCAP to perform compliance scanning against STIGs for DoD environments. A scan reveals that several systems are non-compliant with STIG ID: V-XXXXX requiring 'The system must disable the guest account.' The configuration drift detection tool shows that the guest account was re-enabled after a recent patch. What is the MOST effective course of action?

A.Update the system baseline to enforce the guest account disabled state via Group Policy.
B.Apply an exception to the STIG requirement for these systems.
C.Re-run the OpenSCAP scan after the next patch cycle.
D.Manually disable the guest account on each non-compliant system.
AnswerA

Enforcing via Group Policy prevents future drift.

Why this answer

Configuration drift indicates that patches or changes are reverting settings. The most effective action is to update the baseline configuration management tool (e.g., Group Policy) to enforce the setting automatically.

93
MCQmedium

An organization is implementing a patch management process and wants to track compliance. They deploy patches to a test group of systems before rolling out to the entire environment. After patching the test group, they run a vulnerability scan and find that 95% of the vulnerabilities are resolved. What should the organization do next?

A.Run another scan on the test group in a week to confirm persistence.
B.Immediately deploy the patch to all systems without further testing.
C.Skip full deployment and rely on the test group results.
D.Verify the patch on test systems and then proceed with full deployment through change management.
AnswerD

Verification ensures patches are effective, then change management coordinates rollout.

Why this answer

After successful testing, the next step is to deploy the patch to the rest of the environment, following change management procedures.

94
MCQhard

A security team discovers a critical vulnerability in a widely used software component. The vulnerability has a CVSS score of 9.0, but there is no known exploit or patch available yet. However, the software vendor has released a workaround. According to the vulnerability management lifecycle, which action should the team prioritize first?

A.Wait for the vendor to release a patch before taking any action
B.Remove the affected component from all systems immediately
C.Increase monitoring of the affected systems but take no other action
D.Apply the workaround as a compensating control
AnswerD

Correct; compensating controls reduce risk when a patch is unavailable.

Why this answer

Since no patch is available, the team should apply compensating controls to mitigate the risk. Remediation typically involves patching, but if not possible, compensating controls are the next best step.

95
MCQmedium

A security analyst is reviewing a DAST scan result for a web application. The scanner reports a finding that allows an attacker to redirect users to a malicious site via a parameter in the URL. Which OWASP Top 10 category does this finding most likely belong to?

A.A08:2021 – Software and Data Integrity Failures
B.A03:2021 – Injection
C.A01:2021 – Broken Access Control
D.A05:2021 – Security Misconfiguration
AnswerD

Open redirect is a common security misconfiguration.

Why this answer

Open redirect vulnerabilities are classified under Security Misconfiguration or sometimes under A03:2021 – Injection? Actually OWASP Top 10 2021 includes 'Security Misconfiguration' (A05). Open redirect is typically a security misconfiguration. However, more precisely, it's often considered under 'Broken Access Control'? No, open redirect is not access control.

The closest is Security Misconfiguration because it involves improper handling of redirect parameters.

96
Multi-Selecthard

A security analyst is performing an API vulnerability test. Which THREE of the following are common API vulnerabilities according to OWASP? (Select THREE.)

Select 3 answers
A.SQL injection in the API endpoint
B.Excessive Data Exposure
C.Cross-Site Request Forgery (CSRF)
D.Mass Assignment
E.Broken Object Level Authorization (BOLA)
AnswersB, D, E

APIs may expose more data than necessary.

Why this answer

Broken object level authorization, excessive data exposure, and mass assignment are common API vulnerabilities per OWASP API Security Top 10.

97
Multi-Selectmedium

An organization is implementing security hardening for Kubernetes clusters. Which THREE of the following are common Kubernetes misconfigurations that should be addressed? (Select THREE)

Select 3 answers
A.Using namespaces to isolate workloads
B.Implementing network policies
C.Using hostPath mounts without restrictions
D.Running containers in privileged mode
E.Overly permissive RBAC roles
AnswersC, D, E

Mounting host paths can lead to host compromise.

Why this answer

Privileged containers, hostPath mounts, and overly permissive RBAC are common Kubernetes security issues. Using namespaces is good practice, not a misconfiguration. Network policies are recommended for segmentation.

98
Multi-Selecthard

A security team is implementing container security scanning in their CI/CD pipeline. They want to scan container images for vulnerabilities and Kubernetes misconfigurations. Which THREE tools from the following list are best suited for this purpose? (Select THREE)

Select 3 answers
A.Burp Suite
B.Trivy
C.OpenSCAP
D.Clair
E.Snyk
AnswersB, D, E

Trivy is a popular container vulnerability scanner.

Why this answer

Trivy, Clair, and Snyk are all container image scanning tools. OpenSCAP is for compliance scanning of hosts, not containers. Burp Suite is a web application DAST tool.

99
Multi-Selecthard

A security analyst is performing an API vulnerability test using OWASP ZAP. The analyst finds several issues. Which THREE of the following are common API vulnerabilities according to OWASP? (Select THREE.)

Select 3 answers
A.Broken Object Level Authorization
B.Excessive Data Exposure
C.SQL Injection
D.Cross-Site Scripting (XSS)
E.Broken Authentication
AnswersA, B, E

API1:2019 – Broken Object Level Authorization.

Why this answer

Broken object level authorization, excessive data exposure, and broken authentication are common API vulnerabilities listed in OWASP API Security Top 10.

100
MCQmedium

A vulnerability management team has identified a critical vulnerability with a CVSS score of 9.8. The vulnerability affects a public-facing web server that handles sensitive customer data. The team decides to apply a patch immediately without going through the normal patch testing cycle. What type of patching procedure is this?

A.Rolling patch deployment
B.Patch compliance tracking
C.Emergency patching
D.Standard patch management
AnswerC

Emergency patching is used for urgent vulnerabilities to reduce risk quickly.

Why this answer

When a critical vulnerability is actively exploited or poses immediate risk, emergency patching procedures are used to expedite deployment without standard testing.

101
MCQhard

A security team uses the Common Vulnerability Scoring System (CVSS) v3.1 to prioritize vulnerabilities. They find a vulnerability with a base score of 7.5 and vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. However, the asset is a public-facing web server with no backups. The team also checks the Exploit Prediction Scoring System (EPSS) and sees a score of 0.95 (95% probability of exploitation in the next 30 days). Which action should the team take first based on prioritizing by risk?

A.Expedite patch testing and deployment, and consider emergency change procedures
B.Apply the patch within the next 30 days as part of routine maintenance
C.Implement a network-based intrusion prevention system signature to block exploitation attempts
D.Deploy the patch immediately in the production environment without testing
AnswerA

Given the high EPSS and critical asset, the patch should be expedited with emergency change management.

Why this answer

The high EPSS score indicates imminent exploitation, and the impact to availability is high. The CVSS impact reflects a potential denial of service, which is critical for a public-facing server. The lack of backups increases the risk of data loss or extended downtime.

Therefore, immediate patching is the priority.

102
Multi-Selectmedium

A security analyst is conducting a vulnerability assessment on a cloud environment and needs to select a tool to scan for misconfigurations against the CIS AWS Foundations Benchmark. Which TWO of the following tools are capable of performing compliance scanning against cloud benchmarks? (Select TWO.)

Select 2 answers
A.Nessus
B.Qualys
C.OpenSCAP
D.ScoutSuite
E.Wireshark
AnswersC, D

Correct; OpenSCAP can evaluate systems against CIS benchmarks, including cloud.

Why this answer

OpenSCAP and cloud-specific tools like ScoutSuite (or Prowler) can assess cloud configurations against CIS benchmarks. Nessus and Qualys primarily do vulnerability scanning, though they may have some compliance modules, but the question expects tools specifically for cloud benchmarks. OpenSCAP can be used with cloud content, and ScoutSuite is a cloud security auditing tool.

103
MCQmedium

A vulnerability management analyst is reviewing scan results from a recent Nessus scan. The analyst notices a plugin with the output: 'The remote host is missing a security patch for CVE-2023-1234. The patch was released by the vendor on 2023-05-01.' Which phase of the vulnerability lifecycle is the analyst currently performing?

A.Prioritization
B.Remediation
C.Verification
D.Discovery
AnswerD

Discovery is the process of identifying vulnerabilities through scanning.

Why this answer

The analyst is reviewing scan results to identify vulnerabilities, which is the discovery phase of the vulnerability lifecycle.

104
Multi-Selectmedium

A cybersecurity analyst is reviewing the configuration of a Linux server against CIS Benchmarks. The analyst notices that several settings deviate from the recommended baseline. Which TWO of the following are most likely to be considered Level 1 CIS Benchmark recommendations?

Select 2 answers
A.Remove all unnecessary packages and services
B.Enable mandatory access control (SELinux) in enforcing mode
C.Set password expiration to 90 days
D.Disable SSH root login
E.Configure audit rules for file permission changes
AnswersC, D

Password aging is a fundamental security control with low impact.

Why this answer

CIS Level 1 recommendations are basic security settings that do not cause significant operational impact. Setting password expiration and disabling root SSH login are common Level 1 items.

105
MCQmedium

A security analyst is reviewing a DAST report from Burp Suite for a web application. The report indicates a potential Server-Side Request Forgery (SSRF) vulnerability in a feature that fetches URLs. Which of the following is the most effective mitigation?

A.Use a whitelist of allowed URLs and validate user input against it.
B.Disable the URL fetching feature entirely.
C.Increase memory limits on the server to prevent resource exhaustion.
D.Implement a Web Application Firewall (WAF) to block malicious requests.
AnswerA

Whitelisting prevents the server from making requests to arbitrary URLs.

Why this answer

SSRF can be mitigated by validating and sanitizing user input, whitelisting allowed URLs, and blocking access to internal networks.

106
MCQmedium

During a vulnerability assessment, a security analyst discovers a critical vulnerability affecting a legacy application that cannot be patched due to vendor end-of-life status. Which of the following is the BEST next step?

A.Document the risk and implement compensating controls
B.Remove the legacy application from the network immediately
C.Disable the application until a patch becomes available
D.Apply a virtual patch via an intrusion prevention system
AnswerA

This aligns with the vulnerability management lifecycle: when patching is not possible, compensating controls should be implemented and documented.

Why this answer

When a patch is not available, implementing compensating controls is the best approach to mitigate risk. This may include network segmentation, access controls, or additional monitoring.

107
MCQmedium

A security analyst is reviewing a vulnerability scan report and sees a finding for a web application with a CVSS v3.1 base score of 6.1. The vector string is AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. Which OWASP Top 10 category does this vulnerability most likely belong to?

A.A03: Injection
B.A05: Security Misconfiguration
C.A06: Vulnerable and Outdated Components
D.A01: Broken Access Control
AnswerA

Cross-site scripting is a form of injection, and in OWASP Top 10 2021, it is part of A03: Injection.

Why this answer

The vector indicates Reflected XSS (requires user interaction, scope change, low CIA impact). Reflected XSS is part of the OWASP Top 10 category 'Injection' (2017) or 'Cross-site Scripting' (2021). However, the most direct is Cross-site Scripting (XSS).

108
MCQmedium

A vulnerability management team is prioritizing remediation of several vulnerabilities. They have access to EPSS scores and the CISA KEV catalog. Which factor should they consider FIRST when deciding which vulnerability to remediate?

A.The vulnerability with the highest base CVSS score
B.The vulnerability listed in the CISA Known Exploited Vulnerabilities catalog
C.The vulnerability affecting the most critical asset
D.The vulnerability with the highest EPSS score
AnswerB

Known exploited vulnerabilities should be prioritized due to active exploitation.

Why this answer

The CISA KEV catalog contains vulnerabilities that are actively exploited in the wild. These pose immediate risk and should be addressed before others, regardless of EPSS score or other factors.

109
MCQmedium

An organization uses OpenSCAP to perform compliance scanning. The scan results indicate that a system fails to meet a STIG requirement. Which of the following best describes the purpose of STIGs?

A.They are used solely for web application security
B.They are vulnerability scoring standards
C.They are industry-standard benchmarks for cloud security
D.They are developed by the DoD to secure its information systems
AnswerD

STIGs are official DoD guidelines.

Why this answer

STIGs are detailed security configuration guides for DoD systems, providing hardening requirements.

110
MCQeasy

A security analyst is reviewing a vulnerability scan report and sees a plugin with a CVSS v3.1 base score of 7.5. The attack vector is 'Network', attack complexity is 'Low', privileges required is 'None', user interaction is 'None', scope is 'Unchanged', and the confidentiality impact is 'High', but integrity and availability impacts are 'None'. This vulnerability is best described as:

A.A remote code execution vulnerability
B.A denial of service vulnerability
C.An information disclosure vulnerability
D.A privilege escalation vulnerability
AnswerC

High confidentiality impact with no other impacts indicates information disclosure.

Why this answer

The vector indicates a remote, easily exploitable vulnerability that only affects confidentiality (e.g., information disclosure).

111
Multi-Selectmedium

A security analyst is performing a web application security assessment and identifies a potential cross-site scripting (XSS) vulnerability. The application is critical to business operations. Which TWO of the following are appropriate immediate actions?

Select 2 answers
A.Take the application offline immediately
B.Implement a web application firewall (WAF) rule to block XSS payloads
C.Ignore the finding because XSS is low risk
D.Notify law enforcement immediately
E.Report the vulnerability to the development team for remediation
AnswersB, E

WAF can provide temporary mitigation.

Why this answer

Reporting the vulnerability to the development team ensures awareness, and implementing a WAF rule can provide temporary protection while a fix is developed.

112
MCQeasy

Which of the following vulnerability scanning tools is open source and commonly used for network vulnerability assessment?

A.Nessus
B.Qualys
C.Rapid7 InsightVM
D.OpenVAS
AnswerD

OpenVAS is open source and widely used.

Why this answer

OpenVAS is a well-known open-source vulnerability scanner.

113
MCQeasy

A security analyst is using OpenVAS to perform a vulnerability scan of an internal network. The scan completes and generates a report listing several vulnerabilities. What is the next step in the vulnerability lifecycle?

A.Prioritization
B.Verification
C.Reporting
D.Remediation
AnswerA

Vulnerabilities must be prioritized before deciding which to remediate.

Why this answer

After discovery (scanning), the next step is prioritization of vulnerabilities based on risk, exploitability, and business impact.

114
MCQeasy

Which metric in the CVSS v3.1 base score indicates the level of access an attacker needs to exploit a vulnerability?

A.Privileges Required (PR)
B.Attack Vector (AV)
C.Attack Complexity (AC)
D.User Interaction (UI)
AnswerA

PR indicates the privileges required to exploit.

Why this answer

Privileges Required (PR) indicates the level of privileges an attacker must have before successfully exploiting the vulnerability.

115
MCQhard

A security team is implementing a patch management process for a large enterprise. They must ensure that patches are tested before deployment to production. The team has a staging environment that mirrors production. During patch testing, they discover that a critical security patch for a database server causes a performance degradation of 30% in a key application. What should the team do next?

A.Skip the patch and rely on existing security controls.
B.Apply the patch to production immediately because it fixes a critical vulnerability.
C.Contact the vendor for a fix or workaround, and implement compensating controls in the meantime.
D.Deploy the patch to a subset of production servers to test performance.
AnswerC

This addresses both the vulnerability and the performance issue.

Why this answer

The patch is critical but causes performance issues. The best approach is to work with the vendor for a resolution or apply compensating controls until a fix is available. Applying the patch blindly may disrupt operations, while skipping it leaves the vulnerability unaddressed.

116
MCQhard

A security analyst is investigating a containerized environment. A scan using Trivy has identified a critical vulnerability in a container image. The container is running in a Kubernetes cluster with a Pod Security Policy that disallows privileged containers. Which additional concern should the analyst address?

A.The vulnerability is not exploitable due to the Pod Security Policy
B.The vulnerability is automatically mitigated because the container is not privileged
C.The analyst should ignore the vulnerability because the container is not privileged
D.The analyst should immediately patch the image, but also verify that the Pod Security Policy prevents privilege escalation
AnswerD

Patching is required, and the Pod Security Policy reduces impact.

Why this answer

Even if the container image has a vulnerability, the Pod Security Policy reduces risk by preventing privilege escalation. The analyst should ensure that the exploit cannot gain additional privileges due to the policy.

117
Multi-Selecthard

A vulnerability management analyst is prioritizing vulnerabilities for remediation. The analyst has the following information for three vulnerabilities: CVE-2023-1: CVSS 9.8, EPSS 0.9, asset criticality high; CVE-2023-2: CVSS 7.5, EPSS 0.01, asset criticality low; CVE-2023-3: CVSS 5.0, EPSS 0.8, asset criticality medium. According to best practices, which THREE factors should the analyst consider when prioritizing? (Select THREE)

Select 3 answers
A.CVSS score
B.CVE publication date
C.Asset criticality
D.EPSS score
E.Number of vendors affected
AnswersA, C, D

Severity is a key factor.

Why this answer

Prioritization should consider severity (CVSS), likelihood of exploitation (EPSS), and asset criticality. KEV is not mentioned in the data. Patch complexity and vendor reputation are secondary considerations but not primary factors in this context.

118
MCQmedium

A security analyst is reviewing a vulnerability scan report from Rapid7 InsightVM. The report shows that a Tomcat server has a plugin finding indicating that the 'Server' header is set to 'Apache-Coyote/1.1', which reveals the server version. Which type of vulnerability does this represent?

A.Broken access control
B.Injection vulnerability
C.Security misconfiguration
D.Cryptographic failure
AnswerC

Revealing server version is a misconfiguration that leaks information.

Why this answer

Revealing server version information is a form of information disclosure, which is a security misconfiguration. It is not an injection, broken access control, or cryptographic failure.

119
MCQeasy

A security analyst needs to verify that a critical patch was successfully applied to all endpoints in the organization after an emergency patch deployment. Which phase of the vulnerability lifecycle is the analyst performing?

A.Remediation
B.Prioritization
C.Discovery
D.Verification
AnswerD

Verification confirms the patch was applied successfully.

Why this answer

Verification ensures that remediation (patch application) was effective. It occurs after the fix is applied.

120
MCQeasy

A security analyst is reviewing a vulnerability scan report and sees a critical finding with a CVSS v3.1 base score of 9.8. The vector string is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Which of the following best describes the attack vector component (AV:N)?

A.The attacker can exploit the vulnerability over a network from a remote system
B.The attacker must be on the same physical network segment
C.The attacker requires local access to the target system
D.The attacker must be physically present at the device
AnswerA

AV:N indicates network-based remote exploitation.

Why this answer

AV:N means the vulnerability can be exploited over a network, such as the internet, without requiring physical or local access.

121
Multi-Selectmedium

A security analyst is investigating a reported vulnerability in a web application. The team uses Burp Suite for DAST scanning. Which TWO of the following findings would be classified as injection vulnerabilities according to OWASP Top 10?

Select 2 answers
A.Use of a component with known vulnerabilities
B.Broken access control allowing privilege escalation
C.Stored XSS in the comment section
D.Security misconfiguration exposing directory listing
E.SQL injection in the login form
AnswersC, E

XSS is an injection vulnerability (injection of scripts).

Why this answer

SQL injection and Stored XSS are both injection flaws. SQL injection is classic injection, and XSS is also a form of injection.

122
MCQhard

A security analyst is reviewing the results of a container image scan using Trivy. The scan reports a critical vulnerability in a base image layer. The development team states that the vulnerability is not exploitable because the affected library is not used in the application. According to vulnerability management best practices, what should the analyst do?

A.Accept the risk and close the finding.
B.Request that the development team remove the unused library and rebuild the image.
C.Ignore the finding since it is not exploitable.
D.Apply a compensating control at the network level to block exploitation.
AnswerB

Removing the unused library and rebuilding eliminates the vulnerability.

Why this answer

Even if the library is not used, it is best practice to rebuild the image with a patched base image to eliminate the vulnerability and ensure compliance.

123
MCQhard

During a vulnerability assessment of a Kubernetes cluster, a security analyst finds that a container is running with privileged mode enabled and has a hostPath mount that grants write access to the host's /var/log directory. Which of the following is the most significant security risk associated with this configuration?

A.Data leakage through unrestricted storage access
B.Excessive network permissions allowing lateral movement
C.Potential for container escape and host node compromise
D.Increased attack surface due to unnecessary services running in the container
AnswerC

Privileged mode and hostPath mounts can facilitate escape.

Why this answer

Privileged containers combined with hostPath mounts can allow container escape, enabling an attacker to gain root access on the host node.

124
Multi-Selectmedium

A security analyst is configuring a compliance scanner to check Linux servers against the CIS Benchmark. The analyst wants to ensure that only foundational security configurations are enforced to avoid breaking production applications. Which TWO CIS Benchmark levels would be most appropriate for this environment? (Select TWO)

Select 2 answers
A.CIS Level 3 Benchmark
B.CIS Level 1 Benchmark
C.CIS Level 2 Benchmark
D.CIS Level 0 Benchmark
AnswersB, C

Level 1 is the basic security configuration.

Why this answer

CIS Benchmarks define two levels: Level 1 (basic) and Level 2 (comprehensive).

125
MCQmedium

A security analyst is reviewing a vulnerability scan report and finds a critical vulnerability with a CVSS v3.1 base score of 9.8. The vector string is: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Which of the following best describes the attack vector and impact of this vulnerability?

A.Adjacent attack vector, high impact on availability only
B.Network attack vector, high impact on confidentiality, integrity, and availability
C.Physical attack vector, medium impact on confidentiality
D.Local attack vector, low impact on confidentiality
AnswerB

Correct as per the CVSS vector.

Why this answer

AV:N indicates network-based attack vector, meaning the vulnerability can be exploited remotely over the network. The CIA impact ratings are all High, indicating complete compromise of confidentiality, integrity, and availability.

126
Multi-Selecthard

A security analyst is conducting a dynamic application security testing (DAST) scan of a REST API. The scanner reports a potential Server-Side Request Forgery (SSRF) vulnerability. The analyst needs to confirm the finding manually. Which TWO of the following techniques are most appropriate for validating SSRF?

Select 2 answers
A.Submit a payload that triggers the server to send a request to an attacker-controlled external server (e.g., Burp Collaborator)
B.Craft a request that causes the server to make a request to an internal IP address (e.g., 127.0.0.1) and observe the response
C.Inject malicious SQL queries into input fields to see if they are executed
D.Attempt to upload a malicious file to the server
E.Modify HTTP headers to test for cross-site scripting
AnswersA, B

Detects out-of-band interactions confirming SSRF.

Why this answer

SSRF can be confirmed by making requests to internal resources (e.g., localhost) and observing responses, or by using an external collaborator service to detect out-of-band callbacks.

127
MCQeasy

An organization uses OpenSCAP for compliance scanning. What is the primary purpose of OpenSCAP?

A.Vulnerability scanning
B.Intrusion detection
C.Penetration testing
D.Compliance scanning and configuration assessment
AnswerD

OpenSCAP validates configurations against security baselines like CIS or STIGs.

Why this answer

OpenSCAP is a tool for automated compliance checking against security policies like SCAP content.

128
MCQmedium

A security analyst is using a container image scanner to identify vulnerabilities in a Kubernetes deployment. Which of the following tools is specifically designed for container image scanning?

A.Trivy
B.OpenVAS
C.Nessus
D.Burp Suite
AnswerA

Trivy is designed for container image scanning.

Why this answer

Trivy is a popular open-source tool for scanning container images for vulnerabilities.

129
MCQmedium

A security analyst reviews a Nessus scan result for a web server. The plugin output indicates a critical vulnerability with CVSS v3.1 base score 9.8. The CVSS vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Which of the following best describes the attack complexity?

A.Low
B.Critical
C.Medium
D.High
AnswerA

AC:L directly translates to Low attack complexity.

Why this answer

In the CVSS vector, AC:L means Attack Complexity is Low, indicating no special conditions are required for exploitation.

130
MCQhard

During a configuration compliance scan using OpenSCAP, a security analyst finds that several Windows servers have the 'Network access: Do not allow anonymous enumeration of SAM accounts' setting set to 'Disabled'. This finding corresponds to a CIS Benchmark recommendation. Which of the following describes the most appropriate remediation step for this finding?

A.Disable the Guest account on all servers.
B.Apply a registry key to disable anonymous enumeration.
C.Restrict anonymous access using IPsec rules.
D.Enable the policy 'Network access: Do not allow anonymous enumeration of SAM accounts' via Group Policy.
AnswerD

This policy directly addresses the finding and is the recommended CIS remediation.

Why this answer

The setting should be enabled to prevent anonymous enumeration of SAM accounts. The remediation is to change the policy setting via Group Policy or local security policy.

131
MCQmedium

A security analyst is reviewing a vulnerability scan report and notices that a plugin output indicates a potential misconfiguration in a web server that allows directory listing. The analyst wants to verify this finding manually. Which of the following tools would be most appropriate to confirm the vulnerability?

A.Burp Suite
B.Metasploit
C.Wireshark
D.Nmap
AnswerA

Burp Suite allows manual inspection of web server responses and can confirm directory listing.

Why this answer

Burp Suite is a web application security testing tool that can be used to manually verify web vulnerabilities like directory listing by intercepting and modifying requests.

132
MCQeasy

A security analyst is using a DAST tool to test a web application. Which of the following vulnerabilities would the tool most likely identify?

A.Hardcoded credentials in source code
B.SQL injection
C.Outdated library versions
D.Insecure cryptographic algorithms in configuration
AnswerB

DAST can detect injection vulnerabilities by testing inputs.

Why this answer

DAST tools interact with the running application and can detect vulnerabilities like SQL injection by sending malicious inputs and observing responses.

133
MCQmedium

A security analyst is reviewing a DAST scan report for a web application. The report indicates a vulnerability where the application fails to properly validate user-supplied data before using it in a database query. This is most likely which type of vulnerability?

A.Cross-site scripting (XSS)
B.Security misconfiguration
C.Injection
D.Broken access control
AnswerC

Injection flaws occur when untrusted data is sent to an interpreter as part of a command or query.

Why this answer

Failure to validate user input before using in a database query is classic SQL injection (injection flaw).

134
MCQmedium

During a patch management process, an organization uses a staging environment to test patches before deployment. Which of the following is the primary purpose of patch testing in a staging environment?

A.To create a backup of production systems
B.To speed up the patch deployment process
C.To validate that the patch addresses the vulnerability without causing regressions
D.To comply with licensing requirements
AnswerC

Correct; testing verifies patch effectiveness and no adverse effects.

Why this answer

Patch testing in a staging environment aims to identify potential issues (e.g., compatibility, regression) that could affect production systems, ensuring stability and minimizing disruptions.

135
MCQhard

A vulnerability scan identifies a plugin output for 'SMB Signing Disabled' on a Windows server. The CVSS v3.1 base score is 5.3 (Medium). The asset is a file server used only internally. The organization has decided not to enable SMB signing due to performance concerns. Which of the following is the BEST compensating control?

A.Upgrade to SMB version 3.0 which has built-in signing
B.Accept the risk and document the decision
C.Segment the file server into a separate VLAN with strict access controls
D.Apply a host-based firewall rule to block SMB traffic from all sources
AnswerC

Network segmentation limits exposure to only necessary systems.

Why this answer

Since enabling SMB signing is not feasible, implementing network segmentation to restrict access to only authorized hosts reduces the attack surface.

136
Multi-Selectmedium

A security analyst is prioritizing vulnerabilities for remediation. Which THREE factors from the CISA Known Exploited Vulnerabilities (KEV) catalog should the analyst consider? (Select THREE.)

Select 3 answers
A.EPSS probability score
B.Date the vulnerability was added to the catalog
C.CVSS base score
D.Vulnerability name or CVE ID
E.Affected vendor or product
AnswersB, D, E

The date helps prioritize recent exploitation.

Why this answer

The KEV catalog lists vulnerabilities known to be exploited in the wild, including the date added, vendor name, and a brief description.

137
MCQhard

An analyst is reviewing a vulnerability scan report for a containerized application. The scan identifies a critical vulnerability in a base image used by multiple containers. The application is deployed in a Kubernetes cluster with network policies restricting ingress. The vulnerability has a CVSS v3.1 score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). However, the EPSS score is 0.001 (0.1%). Which of the following should the analyst prioritize?

A.Apply a virtual patch via a web application firewall (WAF)
B.Ignore the vulnerability because it is in a container image
C.Schedule the patch for the next maintenance window because of low EPSS and network controls
D.Immediately patch the vulnerability within 24 hours due to the high CVSS score
AnswerC

Low EPSS and existing network policies lower the risk, allowing normal scheduling.

Why this answer

Despite high CVSS, the EPSS score indicates extremely low likelihood of exploitation in the wild. The business context and compensating controls (network policies) reduce risk. Therefore, remediation can be scheduled in normal patch cycle.

138
MCQhard

A security team is scanning container images with Trivy and finds a vulnerability with CVSS v3.1 vector AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H. The vulnerability exists in a container running as a privileged container on a Kubernetes cluster. The team is prioritizing based on risk. Given the CVSS vector, which factor most significantly reduces the likelihood of exploitation in this context?

A.Attack Vector: Local
B.Privileges Required: High
C.Attack Complexity: High
D.User Interaction: None
AnswerA

Local access is required, meaning the attacker must already have a foothold on the system, reducing exploitability from remote.

Why this answer

AV:L (Local) means the attacker must have local access to exploit. AC:H (High) and PR:H (High) are also limiting, but the attack vector being local means remote exploitation is not possible, which is a strong limiting factor. However, the question asks 'most significantly reduces the likelihood'.

While local access is limiting, Attack Complexity High also reduces likelihood. But AV:L is more significant because it restricts the attack source. In the context of a container, local access might be more achievable, but still the vector shows it's not remotely exploitable.

The best answer is Attack Vector: Local.

139
MCQeasy

A security analyst is configuring a container image scanning tool to identify vulnerabilities in a Docker image before deployment. Which of the following tools is commonly used for container image scanning?

A.Metasploit
B.Nmap
C.Wireshark
D.Trivy
AnswerD

Correct; Trivy is a container image vulnerability scanner.

Why this answer

Trivy is a popular open-source container image vulnerability scanner. It is widely used for scanning Docker images for known vulnerabilities.

← PreviousPage 2 of 2 · 139 questions total

Ready to test yourself?

Try a timed practice session using only Cysa Vulnerability Management questions.

CCNA Cysa Vulnerability Management Questions — Page 2 of 2 | Courseiva