CCNA Vulnerability Management Questions

74 of 149 questions · Page 2/2 · Vulnerability Management topic · Answers revealed

76
MCQhard

Your organization has deployed a new web application on a Linux server. The application uses a custom database port (TCP 3307). During a routine vulnerability scan, the scanner reports a critical vulnerability: 'MySQL Server - Unrestricted File Upload (CVE-20XX-XXXX)'. The system administrator confirms that MySQL is not installed; the custom database uses PostgreSQL on port 3307. The scanner likely misidentified the service due to port-based fingerprinting. On further investigation, you find that the scanner's fingerprinting database has an incorrect mapping for port 3307. The PostgreSQL version is current and fully patched. The environment is production and cannot be disrupted. Which of the following is the BEST action to take?

A.Manually update the scanner's database to correct the port mapping.
B.Schedule an immediate patch of the supposed MySQL vulnerability.
C.Apply a workaround to block file upload functionality on port 3307.
D.Mark the vulnerability as a false positive and suppress it for this asset.
AnswerD

Accurately identifies the issue and prevents future alerts.

Why this answer

Option D is correct because the vulnerability report is based on a false positive: the scanner misidentified the service on port 3307 as MySQL due to an incorrect port mapping in its fingerprinting database, while the actual service is a fully patched PostgreSQL. Since MySQL is not installed and no actual vulnerability exists, marking the finding as a false positive and suppressing it for this asset is the appropriate response in a production environment that cannot be disrupted.

Exam trap

CompTIA often tests the candidate's ability to distinguish between a true vulnerability and a false positive caused by service misidentification, trapping those who jump to patching or blocking without verifying the actual service running on the port.

How to eliminate wrong answers

Option A is wrong because manually updating the scanner's database is not a standard or recommended remediation action; scanner databases are vendor-managed, and manual edits could cause further inaccuracies or be overwritten on the next update. Option B is wrong because scheduling an immediate patch for a supposed MySQL vulnerability is unnecessary and potentially disruptive, as MySQL is not installed and the PostgreSQL service is fully patched—applying a non-existent patch wastes resources and may introduce risk. Option C is wrong because applying a workaround to block file upload functionality on port 3307 is irrelevant; PostgreSQL does not have an unrestricted file upload vulnerability, and blocking functionality would disrupt legitimate database traffic without addressing the actual scanner misidentification.

77
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Wireless spectrum analysis
B.Physical badge access reviews
C.Database transaction log backups
D.Software composition analysis in the CI/CD pipeline
AnswerD

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it automatically scans the project's dependencies against known vulnerability databases (e.g., NVD, GitHub Advisory Database) to identify vulnerable open-source libraries before deployment. Integrating SCA into the CI/CD pipeline ensures that vulnerabilities are caught early in the development lifecycle, aligning with the shift-left security principle without suppressing or masking risk.

Exam trap

CompTIA often tests the distinction between vulnerability scanning (SCA) and other security controls like network monitoring or physical security, so the trap here is confusing a general security practice (e.g., backups or access reviews) with a specific software dependency scanning control that directly addresses the stated weakness.

How to eliminate wrong answers

Option A is wrong because wireless spectrum analysis (e.g., using tools like Wireshark or spectrum analyzers) is used to detect rogue access points or interference in wireless networks, not to identify vulnerable open-source libraries in code. Option B is wrong because physical badge access reviews control physical access to facilities, not software dependencies or code-level vulnerabilities. Option C is wrong because database transaction log backups are a data recovery and integrity control, unrelated to scanning for vulnerable open-source libraries in a development pipeline.

78
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Change the severity to informational automatically
B.Delete the server from the scan scope
C.Close the finding because the owner disagrees
D.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
AnswerD

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option D is correct because the most reliable way to validate whether TLS 1.0 is truly disabled is to perform an active, negotiated test using a TLS client (e.g., OpenSSL s_client) or a scanner profile that explicitly attempts to connect using only TLS 1.0. This bypasses any potential misconfiguration in the scanner's service detection or version negotiation logic, and directly confirms whether the server accepts a TLS 1.0 handshake. Relying solely on the scanner's banner grab or the owner's assertion can miss cases where the server still supports the protocol on certain ports or under specific cipher suites.

Exam trap

CompTIA often tests the concept that scanner results must be validated through active, protocol-specific testing rather than relying on configuration assertions or passive detection, and the trap here is assuming that a service owner's claim or a scanner's default detection is sufficient without manual verification.

How to eliminate wrong answers

Option A is wrong because changing severity to informational does not resolve the underlying validation issue; it merely hides the finding and could mask a real vulnerability if TLS 1.0 is actually enabled. Option B is wrong because deleting the server from the scan scope removes all future visibility into that asset, which is an overreaction and prevents ongoing security monitoring. Option C is wrong because closing a finding solely because the owner disagrees violates the principle of independent validation; the scanner's result must be verified through technical means, not dismissed based on opinion.

79
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Physical badge access reviews
B.Wireless spectrum analysis
C.Software composition analysis in the CI/CD pipeline
D.Database transaction log backups
AnswerC

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it specifically scans open-source libraries for known vulnerabilities (CVEs) and license compliance issues. Integrating SCA into the CI/CD pipeline ensures that vulnerable dependencies are detected automatically before code is deployed, enabling early remediation without manual overhead.

Exam trap

Cisco often tests the distinction between vulnerability scanning (SCA) and network or physical controls, expecting candidates to recognize that open-source library risks require a software-focused tool, not a hardware or access control solution.

How to eliminate wrong answers

Option A is wrong because physical badge access reviews control physical security, not software library vulnerabilities; they have no mechanism to inspect open-source code or its dependencies. Option B is wrong because wireless spectrum analysis monitors radio frequency interference and rogue access points, not software libraries; it addresses network-layer threats, not application-layer dependency risks.

80
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Restrict public access and determine whether sensitive data was accessed
B.Wait for the next quarterly review
C.Rotate database administrator passwords only
D.Delete all audit logs to reduce liability
AnswerA

The priority is exposure containment and impact assessment.

Why this answer

Option A is correct because the immediate priority is to stop the data leak by restricting public read access to the storage bucket, then investigate whether sensitive data was actually accessed. This aligns with the incident response principle of containment before analysis. In cloud environments like AWS S3 or Azure Blob Storage, a bucket with public read access exposes all objects to the internet, and the first step is to apply a bucket policy or ACL to deny public access.

Exam trap

Cisco often tests the misconception that rotating credentials (like database passwords) is a catch-all fix for data exposure, but the trap here is that the vulnerability is a misconfigured storage bucket, not compromised credentials, so the correct first step is to restrict public access and assess exposure.

How to eliminate wrong answers

Option B is wrong because waiting for the next quarterly review leaves sensitive customer data exposed to the internet for an extended period, violating data protection regulations and incident response best practices. Option C is wrong because rotating database administrator passwords does not address the root cause—a misconfigured storage bucket with public read access—and is an irrelevant action for this specific vulnerability.

81
MCQmedium

A business unit accepts the risk of delaying a patch because downtime would breach a contractual deadline. What should be updated? For validation, Which action should be taken before closing or downgrading the finding?

A.The risk register with owner, justification, expiry date, and compensating controls
B.The firewall vendor invoice
C.The incident containment playbook only
D.The phishing training completion list
AnswerA

Risk acceptance must be explicit, time-bound, owned, and controlled.

Why this answer

When a business unit formally accepts the risk of delaying a patch due to contractual constraints, the risk must be documented in the risk register. This entry should include the owner, justification, expiry date, and compensating controls to ensure the risk is tracked, reviewed, and eventually remediated. This aligns with the vulnerability management lifecycle, where accepted risks require formal documentation and periodic reassessment.

Exam trap

Cisco often tests the distinction between risk acceptance documentation (risk register) and operational documents (playbooks, invoices), tricking candidates into thinking any update related to the delay is sufficient, when only the risk register captures the formal acceptance process.

How to eliminate wrong answers

Option B is wrong because the firewall vendor invoice is a financial document unrelated to risk acceptance or vulnerability management; it does not track risk decisions or compensating controls. Option C is wrong because the incident containment playbook is designed for active incident response, not for documenting accepted risks from delayed patching; updating it would not address the need to formally record the risk acceptance.

82
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Authenticated scanning with a test account and session handling
B.Reduce the scan to only the landing page
C.Disable all application authentication
D.Treat absence of findings as proof of security
AnswerA

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners analyze live web applications by sending HTTP requests and inspecting responses. When authentication is required to access protected pages, the scanner must maintain a valid session to reach those endpoints. Configuring authenticated scanning with a test account and proper session handling (e.g., using cookies, tokens, or form-based login) allows the scanner to traverse authenticated pages, ensuring the scan covers the full attack surface and reports findings from restricted areas.

Exam trap

Cisco often tests the misconception that disabling authentication or reducing scope is an acceptable workaround, when the correct approach is to configure the scanner to properly handle the existing authentication mechanism.

How to eliminate wrong answers

Option B is wrong because reducing the scan to only the landing page would intentionally ignore all other pages, including authenticated ones, which directly contradicts the goal of improving result quality by reaching more content. Option C is wrong because disabling all application authentication would fundamentally alter the application's security posture, potentially breaking business logic and causing the scanner to test a non-representative environment, rather than properly handling the existing authentication mechanism.

83
MCQeasy

A security analyst is reviewing vulnerability scan results and notices that several critical vulnerabilities have been reported on the same web server for three consecutive months. The server owner states that the patches cannot be applied due to application compatibility issues. Which of the following is the BEST course of action?

A.Escalate the issue to senior management and move on
B.Remove the web server from service until patches are applied
C.Schedule a rescan to verify if the vulnerabilities still exist
D.Implement compensating controls to reduce the risk
AnswerD

Compensating controls mitigate the risk when patching is not possible.

Why this answer

Option D is correct because when a known vulnerability cannot be patched due to application compatibility issues, the standard risk management approach is to implement compensating controls. These controls (e.g., Web Application Firewall rules, network segmentation, or host-based IPS) reduce the likelihood or impact of exploitation without modifying the vulnerable application. This aligns with the NIST SP 800-40 Rev. 4 guidance on vulnerability handling, which explicitly recommends compensating controls when patching is not feasible.

Exam trap

Cisco often tests the misconception that rescanning (Option C) is the correct next step, but the trap here is that rescanning does not change the risk posture—it only confirms what is already known, while the question requires a risk-reducing action.

How to eliminate wrong answers

Option A is wrong because simply escalating to senior management without taking any action to reduce risk is a passive approach that leaves the vulnerability exploitable; the analyst must still recommend or implement compensating controls. Option B is wrong because removing the web server from service is an extreme measure that may not be justified if compensating controls can adequately mitigate the risk, and it could cause unnecessary business disruption. Option C is wrong because rescanning will only confirm the same vulnerabilities still exist (since patches were not applied), wasting time without addressing the underlying risk.

84
MCQhard

Based on the scan output, which vulnerability should be prioritized first for remediation?

A.CVE-2019-16905
B.CVE-2020-15778
C.CVE-2020-12060
D.Both A and B equally.
AnswerB

Highest CVSS score (9.8).

Why this answer

CVE-2020-15778 is a critical command injection vulnerability in OpenSSH's scp utility (CVE-2020-15778) that allows an unauthenticated remote attacker to execute arbitrary commands on the target system by crafting a malicious scp source path. This vulnerability has a CVSS score of 8.8 (High) and is remotely exploitable without authentication, making it the highest priority for remediation over the other listed CVEs.

Exam trap

CompTIA often tests the principle that remote code execution (RCE) vulnerabilities with no authentication requirement should always be prioritized over local privilege escalation or denial-of-service vulnerabilities, even if the latter have higher CVSS scores in some categories.

How to eliminate wrong answers

Option A is wrong because CVE-2019-16905 is a privilege escalation vulnerability in the Linux kernel's eBPF subsystem (bpf_skb_change_head) that requires local access to exploit, making it less critical than a remotely exploitable command injection. Option C is wrong because CVE-2020-12060 is a denial-of-service (DoS) vulnerability in the Linux kernel's NFSv4.2 implementation that requires specific conditions and only causes a system crash, not remote code execution. Option D is wrong because both A and C are not equally critical; CVE-2020-15778 is the only one that allows unauthenticated remote command execution, which is a higher severity and should be prioritized first.

85
MCQhard

A security analyst reviews this S3 bucket policy. Which vulnerability is present?

A.Missing encryption
B.Cross-site scripting
C.Insecure direct object reference
D.Public read access to all objects
AnswerD

Principal '*' with Allow effect grants public access to all objects in the bucket.

Why this answer

The S3 bucket policy grants public read access to all objects via the `Principal: "*"` and `Action: "s3:GetObject"` statement. This means any unauthenticated user on the internet can list and download objects in the bucket, exposing sensitive data. The vulnerability is explicitly public read access, not missing encryption or application-layer flaws.

Exam trap

CompTIA often tests the distinction between a misconfigured access control policy (like public read) and other vulnerability types (like encryption or injection), so candidates mistakenly choose 'missing encryption' because they see a lack of security controls, but the policy itself does not address encryption at all.

How to eliminate wrong answers

Option A is wrong because missing encryption (e.g., server-side encryption not enforced) is a compliance or data-at-rest risk, but the policy shown does not disable encryption—it simply allows public reads. Option B is wrong because cross-site scripting (XSS) is a web application vulnerability involving injection of malicious scripts into web pages, not a misconfiguration in an S3 bucket policy. Option C is wrong because insecure direct object reference (IDOR) is an access control flaw where a user can access unauthorized resources by manipulating identifiers (e.g., object keys), but the policy here grants blanket public access to all objects, not a per-object IDOR issue.

86
MCQeasy

A vulnerability scan identifies a critical unauthenticated remote-code-execution flaw on an internet-facing VPN appliance that is actively exploited in the wild. Several internal-only medium vulnerabilities are also present. What should be remediated first? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Patch or mitigate the VPN appliance immediately and verify exposure is removed
B.Remediate only low-risk internal findings to improve closure rate
C.Start with the oldest medium vulnerability
D.Defer all remediation until the monthly patch window
AnswerA

Internet exposure plus active exploitation makes this the highest-risk item despite other findings.

Why this answer

The VPN appliance's critical unauthenticated remote-code-execution flaw is actively exploited in the wild, posing an immediate and severe risk to the entire network perimeter. Remediating this first aligns with the vulnerability management principle of prioritizing by risk severity and exploitability, as an internet-facing device with a known active exploit bypasses all authentication controls and can lead to full compromise. Patching or mitigating it directly removes the exposure without obscuring the risk, unlike compensating controls that might hide the underlying weakness.

Exam trap

Cisco often tests the misconception that all vulnerabilities should be remediated in order of CVSS score alone, but here the trap is that candidates might choose a lower-severity internal finding because it is 'older' or 'easier to fix,' ignoring the criticality of an actively exploited, internet-facing RCE that demands immediate action regardless of other metrics.

How to eliminate wrong answers

Option B is wrong because focusing on low-risk internal findings to improve closure rate ignores the critical external threat; closure rate metrics are secondary to actual risk reduction, and this approach would leave the most dangerous vulnerability unaddressed. Option C is wrong because prioritizing by age (oldest medium vulnerability) disregards severity and active exploitation; a medium internal flaw, regardless of age, poses far less risk than a critical unauthenticated RCE on an internet-facing device that is already being exploited in the wild.

87
Drag & Dropmedium

Order the steps for deploying a new security patch to a production environment.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Patch deployment involves download/verification, testing, backup, rollout, and monitoring.

88
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For validation, Which action should be taken before closing or downgrading the finding?

A.Asset criticality, exposure, and business impact
B.The colour of the scanner dashboard
C.The number of installed fonts
D.Whether the hostname is shorter
AnswerA

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

Remediation priority is determined by risk, which is a function of asset criticality, exposure, and business impact. The public payment API has high asset criticality (handles sensitive financial data), high exposure (accessible from the internet), and high business impact (breach could cause regulatory fines and revenue loss), whereas the isolated lab server has low exposure and minimal business impact. This aligns with the CVSS environmental score modifiers and NIST SP 800-30 risk assessment methodology.

Exam trap

Cisco often tests the misconception that all vulnerabilities with the same CVE should be patched with equal urgency, ignoring the criticality of the asset and its exposure to threats.

How to eliminate wrong answers

Option B is wrong because the colour of the scanner dashboard is a cosmetic UI element and has no bearing on risk-based prioritization; vulnerability management decisions must be data-driven, not based on visual indicators. Option C is wrong because the number of installed fonts is irrelevant to security posture or remediation priority; it does not affect exploitability, exposure, or business impact.

89
MCQeasy

A DAST scan cannot reach authenticated pages of a web application and reports only public content findings. What should be configured? For validation, Which action should be taken before closing or downgrading the finding?

A.Disable all application authentication
B.Treat absence of findings as proof of security
C.Authenticated scanning with a test account and session handling
D.Reduce the scan to only the landing page
AnswerC

DAST needs valid authentication and session management to test protected functionality.

Why this answer

DAST scanners require authenticated sessions to crawl and test pages behind login forms. Configuring authenticated scanning with a test account and proper session handling (e.g., cookie-based or token-based authentication) allows the scanner to maintain state and reach protected endpoints. Without this, the scanner only sees public content, missing vulnerabilities in authenticated areas.

Exam trap

Cisco often tests the misconception that disabling authentication or ignoring missing findings is acceptable, when the correct approach is to configure authenticated scanning to ensure comprehensive coverage of the attack surface.

How to eliminate wrong answers

Option A is wrong because disabling all application authentication would remove the security controls protecting sensitive pages, potentially exposing the application to unauthorized access and violating security requirements. Option B is wrong because treating the absence of findings as proof of security is a false sense of confidence; the scanner simply did not test the authenticated pages, so no conclusions about their security can be drawn.

90
MCQeasy

A vulnerability scan report shows a critical vulnerability on a web server with a CVSS score of 9.8. The IT manager wants to know the risk to the organization. Which of the following factors should the analyst consider FIRST?

A.The asset value and business criticality
B.The vendor's patch release schedule
C.The number of exploit attempts in the logs
D.The number of other vulnerabilities on the server
AnswerA

The impact of exploitation depends on how critical the server is.

Why this answer

The CVSS score of 9.8 indicates a critical severity vulnerability, but risk is a function of both severity and business context. The analyst must first assess the asset value and business criticality of the web server because a critical vulnerability on a non-essential server poses lower risk than the same vulnerability on a server handling sensitive data or core business processes. Without this context, the organization cannot prioritize remediation effectively.

Exam trap

CompTIA often tests the distinction between vulnerability severity (CVSS) and organizational risk, trapping candidates who confuse a high CVSS score with automatically high risk without considering asset context.

How to eliminate wrong answers

Option B is wrong because the vendor's patch release schedule is an operational consideration for remediation timing, not the primary factor for determining risk; risk assessment must first establish the impact on the organization. Option C is wrong because the number of exploit attempts in logs indicates current threat activity, but risk is evaluated based on potential impact and likelihood, not solely on observed attacks; a vulnerability with no current exploits can still pose high risk if the asset is critical. Option D is wrong because the number of other vulnerabilities on the server is irrelevant to the risk of this specific vulnerability; each vulnerability must be assessed independently based on asset criticality and exposure.

91
Multi-Selectmedium

A vulnerability management analyst is reviewing the results of an authenticated scan. The analyst identifies several medium-severity vulnerabilities that have been present for over a year. Which of the following are the best actions to take? (Choose two.)

Select 2 answers
A.Verify the vulnerabilities are still relevant by re-scanning.
B.Escalate to the asset owner for remediation.
C.Accept the risk if the system is no longer in use.
D.Remove the system from the network.
E.Increase the severity rating to high to ensure remediation.
AnswersA, B

Re-scanning confirms current status.

Why this answer

Option A is correct because re-scanning verifies whether the vulnerabilities are still present or have been remediated by other means (e.g., patching, configuration changes). Over a year, the environment may have changed, and the original scan results could be stale. An authenticated scan provides deeper visibility, but a fresh scan is the only way to confirm current relevance before taking further action.

Exam trap

CompTIA often tests the misconception that old vulnerabilities should automatically be escalated or reclassified, when in fact the first step is always to re-verify the finding with a current scan to avoid wasting resources on false positives or already-remediated issues.

92
MCQhard

A security analyst is tasked with performing a risk assessment for a new web application. The application will handle sensitive customer data. Which of the following should the analyst do FIRST to identify vulnerabilities specific to the application?

A.Run a network vulnerability scan against the application server.
B.Perform a penetration test on the application.
C.Perform a source code review.
D.Conduct a threat model of the application.
AnswerD

Threat modeling identifies threats and vulnerabilities early.

Why this answer

Option C is correct because a threat model helps identify potential vulnerabilities early in the development lifecycle. Option A is wrong because a network scan is too broad. Option B is wrong because a penetration test is performed later.

Option D is wrong because a code review may be part of the process but threat modeling comes first.

93
MCQeasy

A security analyst is conducting a vulnerability assessment of a web application. The assessment reveals that the application is vulnerable to SQL injection. Which of the following is the MOST effective remediation?

A.Upgrade the web application framework to the latest version
B.Deploy a web application firewall (WAF)
C.Use parameterized queries in the application code
D.Implement client-side input validation
AnswerC

Parameterized queries eliminate SQL injection vulnerabilities.

Why this answer

Parameterized queries (also known as prepared statements) are the most effective remediation for SQL injection because they separate SQL logic from user-supplied data by using placeholders. The database engine treats the input strictly as data, not executable code, which prevents an attacker from altering the query structure. This addresses the root cause at the application layer, unlike other controls that only mitigate or detect the attack.

Exam trap

CompTIA often tests the misconception that a WAF is a sufficient fix for SQL injection, but the trap here is that a WAF is a compensating control, not a remediation—the question asks for the 'most effective remediation,' which must address the root cause in the code.

How to eliminate wrong answers

Option A is wrong because upgrading the web application framework may patch known vulnerabilities but does not fix the insecure coding practice of concatenating user input into SQL statements; the SQL injection flaw remains if the code itself is not changed. Option B is wrong because a web application firewall (WAF) can detect and block some SQL injection payloads, but it is a reactive, signature-based control that can be bypassed with obfuscation or novel attack patterns, and it does not eliminate the underlying vulnerability. Option D is wrong because client-side input validation can be easily bypassed by an attacker using tools like Burp Suite or cURL to send crafted requests directly to the server, and it provides no security against server-side injection.

94
Multi-Selecthard

A security analyst is prioritizing vulnerabilities from a scan. Which TWO factors should be considered to determine the remediation priority? (Select TWO)

Select 2 answers
A.Exploit code availability
B.Vendor patch availability
C.Number of affected systems
D.CVSS base score
E.Age of the vulnerability
AnswersA, C

Public exploits increase the urgency for remediation.

Why this answer

Exploit code availability is a critical factor because if working exploit code is publicly available, the vulnerability is far more likely to be actively exploited, increasing the risk and urgency for remediation. This directly impacts the likelihood of a breach, making it a key priority driver beyond just the CVSS score.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, but the exam emphasizes that exploit availability and asset criticality (here, number of affected systems) are more actionable for remediation prioritization.

95
Multi-Selectmedium

Which findings should be included when reporting remediation performance to asset owners? (Choose two.)

Select 2 answers
A.Recently remediated findings awaiting validation
B.Every raw scanner debug line
C.Unrelated physical-access badge failures
D.Open critical findings past SLA by owner
AnswersA, D

This shows work completed but not yet verified.

Why this answer

Recently remediated findings awaiting validation are a critical metric for asset owners because they confirm that remediation actions have been taken and are pending verification. This aligns with the vulnerability management lifecycle, where validation ensures the fix was applied correctly and no residual risk remains. Including this status in reports provides asset owners with actionable insight into the progress of remediation efforts and any outstanding steps needed to close the finding.

Exam trap

Cisco often tests the distinction between operational data (e.g., raw scanner logs) and actionable remediation metrics, tempting candidates to select overly detailed or irrelevant information instead of the concise, status-driven data that asset owners need.

96
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For validation, Which action should be taken before closing or downgrading the finding?

A.Remediate alphabetically by CVE ID
B.Prioritize the KEV/high-EPSS issue after confirming asset exposure
C.Always sort only by CVSS base score
D.Remediate only vulnerabilities with vendor logos in the report
AnswerB

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option B is correct because the CISA KEV vulnerability with high EPSS indicates active exploitation in the wild, making it a critical threat regardless of its medium CVSS base score. Prioritizing it after confirming asset exposure ensures the organization addresses the most imminent risk first, as high CVSS issues that are not exploitable in the environment pose no actual danger. This aligns with risk-based vulnerability management, where exploitability and threat intelligence (KEV, EPSS) override raw severity scores.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, but the trap here is that real-world risk assessment must incorporate threat intelligence (KEV, EPSS) and environmental context (exploitability) to avoid wasting resources on non-exploitable high-severity issues.

How to eliminate wrong answers

Option A is wrong because remediating alphabetically by CVE ID ignores all risk factors, such as exploitability, asset exposure, and threat intelligence, leading to inefficient and potentially dangerous prioritization. Option C is wrong because sorting only by CVSS base score neglects environmental context (e.g., non-exploitable high CVSS issues) and active exploitation indicators (KEV, EPSS), which are critical for effective vulnerability management.

97
Multi-Selecthard

A security analyst is prioritizing vulnerabilities for remediation. The analyst has the following information: a vulnerability with a CVSS score of 9.0 that affects a public-facing web server, and a vulnerability with a CVSS score of 7.5 that affects an internal database server with sensitive data. Which two factors should the analyst consider when prioritizing? (Choose two.)

Select 2 answers
A.The presence of known exploits in the wild.
B.The vendor's patch release date.
C.The asset's exposure and criticality.
D.The number of open ports on each server.
E.The vulnerability publication date.
AnswersA, C

Active exploits increase urgency.

Why this answer

Option A is correct because the presence of known exploits in the wild directly impacts the likelihood of a vulnerability being weaponized. Even a high CVSS score (e.g., 9.0) may be less urgent if no exploit exists, while a lower-scored vulnerability (e.g., 7.5) with active exploitation poses an immediate threat. This aligns with the CVSS environmental metrics and threat intelligence integration in vulnerability management.

Exam trap

Cisco often tests the misconception that CVSS score alone determines priority, whereas the correct approach combines CVSS with threat intelligence (exploit availability) and asset criticality/exposure.

98
Multi-Selectmedium

Which items belong in a vulnerability exception request? (Choose three.)

Select 3 answers
A.Business justification for delayed remediation
B.A request to remove the asset from inventory
C.Expiration or review date
D.Compensating controls
AnswersA, C, D

Justification explains why normal remediation cannot occur.

Why this answer

A vulnerability exception request is a formal process to accept the risk of not remediating a vulnerability within the standard timeframe. A business justification for delayed remediation is a core component because it documents the operational, financial, or technical reasons why the fix cannot be applied immediately, which is required for risk acceptance by management. Without this justification, the exception lacks the necessary context for approval and audit compliance.

Exam trap

Cisco often tests the distinction between operational risk acceptance (exception request) and asset lifecycle management (decommissioning), leading candidates to incorrectly include asset removal as part of the exception process.

99
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For validation, Which action should be taken before closing or downgrading the finding?

A.Give all users local admin rights
B.Mark the vulnerability as fixed
C.Documented risk acceptance with compensating controls and a migration/remediation plan
D.Remove the system from future reports
AnswerC

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

When a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager must formally accept the risk by documenting the risk acceptance, implementing compensating controls (e.g., network segmentation, host-based firewall rules, or application whitelisting), and creating a migration or remediation plan to eventually retire or replace the system. This aligns with the NIST SP 800-53 risk management framework and ensures auditability.

Exam trap

Cisco often tests the misconception that 'no patch available' means the vulnerability can be closed as 'fixed' or that compensating controls alone are sufficient without formal documentation and a plan.

How to eliminate wrong answers

Option A is wrong because granting all users local admin rights would increase the attack surface and privilege escalation risk, directly violating the principle of least privilege and potentially making the system more vulnerable. Option B is wrong because marking the vulnerability as fixed when no patch has been applied is a false positive closure; vulnerabilities must be remediated, mitigated, or formally accepted, not simply closed without evidence.

100
MCQmedium

A cloud posture scan finds a storage bucket with public read access containing customer exports. What should the team do first? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Delete all audit logs to reduce liability
B.Wait for the next quarterly review
C.Restrict public access and determine whether sensitive data was accessed
D.Rotate database administrator passwords only
AnswerC

The priority is exposure containment and impact assessment.

Why this answer

Option C is correct because the immediate priority is to contain the data exposure by restricting public access to the storage bucket, then investigate whether sensitive data was actually accessed by unauthorized parties. This aligns with the vulnerability management principle of 'contain first, investigate second' and addresses the risk of data exfiltration without waiting for a scheduled review or performing unrelated actions.

Exam trap

The trap here is that candidates may choose to rotate passwords (Option D) as a generic security response, but the question specifically tests the ability to prioritize containment of the exposed resource over unrelated credential changes.

How to eliminate wrong answers

Option A is wrong because deleting audit logs destroys forensic evidence needed to determine the scope of the breach and violates compliance requirements (e.g., GDPR, PCI DSS) that mandate retention of logs for incident investigation. Option B is wrong because waiting for the next quarterly review leaves the bucket publicly accessible, allowing continued unauthorized access and potential data exfiltration, which is unacceptable for a critical finding. Option D is wrong because rotating database administrator passwords does not address the storage bucket's public read access; it is an unrelated control that does not mitigate the immediate exposure of customer exports.

101
MCQhard

A vulnerability assessment identifies that an external-facing server has an outdated TLS version configured. The server supports TLS 1.0 and SSL 3.0. Which of the following is the MOST secure configuration change?

A.Upgrade to TLS 1.3 and disable all others
B.Disable TLS 1.0 and keep SSL 3.0
C.Enable TLS 1.2 and disable SSL 3.0 and TLS 1.0
D.Disable SSL 3.0 and enable TLS 1.2
AnswerC

Eliminates all insecure protocols and enables a secure one.

Why this answer

Option C is correct because it disables the insecure SSL 3.0 and TLS 1.0 protocols while enabling TLS 1.2, which is currently the most widely supported secure TLS version. TLS 1.2 provides strong cipher suites and has no known practical vulnerabilities like POODLE (SSL 3.0) or BEAST (TLS 1.0). This configuration balances security with compatibility for modern clients.

Exam trap

Cisco often tests the distinction between 'disabling only the most vulnerable protocol' (Option D) versus 'disabling all insecure protocols and enabling a secure one' (Option C), trapping candidates who forget that TLS 1.0 is also considered deprecated and insecure.

How to eliminate wrong answers

Option A is wrong because upgrading directly to TLS 1.3 may break compatibility with many existing clients and servers that do not yet support TLS 1.3, and the question asks for the 'most secure' change given the current state, not a future-proof upgrade. Option B is wrong because keeping SSL 3.0 enabled leaves the server vulnerable to the POODLE attack (CVE-2014-3566), which allows plaintext recovery from encrypted sessions. Option D is wrong because it only disables SSL 3.0 but does not explicitly disable TLS 1.0, leaving the server vulnerable to the BEAST attack (CVE-2011-3389) and other TLS 1.0 weaknesses.

102
Multi-Selectmedium

A security analyst is prioritizing vulnerabilities for remediation. Which TWO factors should be considered HIGHEST when determining prioritization? (Choose two.)

Select 2 answers
A.CVSS base score
B.Number of false positives associated with the scan
C.System owner's preference
D.Age of the vulnerability
E.Known exploit availability
AnswersA, E

CVSS score provides a standardized severity rating.

Why this answer

The CVSS base score provides a standardized, quantitative measure of a vulnerability's severity based on intrinsic characteristics like attack vector and complexity. Prioritizing by CVSS score ensures that remediation efforts focus on vulnerabilities with the highest potential impact, aligning with industry best practices for risk-based vulnerability management.

Exam trap

Cisco often tests that candidates confuse vulnerability age with exploit maturity, but age alone is irrelevant without evidence of active exploitation or a functional exploit in the wild.

103
Multi-Selecteasy

A security analyst is reviewing a vulnerability scan report and must prioritize remediation efforts. Which TWO factors are most important for prioritizing vulnerability remediation?

Select 2 answers
A.Time since vulnerability published
B.CVSS base score
C.Vendor patch release date
D.Number of hosts affected
E.Availability of public exploit code
AnswersB, E

CVSS base score is a key indicator of severity and is widely used for prioritization.

Why this answer

The CVSS base score (B) provides a standardized, vendor-neutral severity rating (0-10) that reflects the intrinsic characteristics of a vulnerability, such as attack vector, complexity, and impact on confidentiality, integrity, and availability. This score is a primary factor for prioritization because it allows analysts to compare vulnerabilities across different systems and prioritize those with the highest potential for damage, independent of environmental factors.

Exam trap

CompTIA often tests the distinction between intrinsic severity (CVSS base score) and external risk factors (exploit availability), leading candidates to mistakenly prioritize the number of affected hosts (D) or patch release date (C) over these two key factors.

104
Multi-Selectmedium

A vulnerability manager is prioritizing remediation. Which factors should influence risk-based priority? (Choose three.)

Select 3 answers
A.Internet exposure of the affected asset
B.Alphabetical order of the CVE identifier
C.Known exploitation in the wild
D.Business criticality of the affected service
AnswersA, C, D

External reachability increases likelihood of attack.

Why this answer

Internet exposure of the affected asset is a critical factor because assets reachable from the public internet have a larger attack surface and are more likely to be targeted by automated scanners and exploit kits. Risk-based prioritization weighs the likelihood of exploitation, and an internet-facing system inherently faces a higher threat level than an internal-only asset. This aligns with the CVSS environmental metrics (Modified Attack Vector) and common vulnerability scoring frameworks that adjust severity based on network accessibility.

Exam trap

Cisco often tests the misconception that all CVSS scores are equal regardless of context, but the trap here is that candidates might think alphabetical order or CVE age is relevant, when in fact only exploitability, exposure, and business impact drive true risk-based priority.

105
MCQeasy

A security analyst is reviewing vulnerability scan results and sees a critical vulnerability on a web server with a CVSS score of 9.8. The server is a legacy system that cannot be patched without causing application downtime. The business requires the application to remain available. Which of the following is the BEST course of action?

A.Remove the system from the network.
B.Disable the vulnerable service on the server.
C.Accept the risk and do nothing.
D.Implement a virtual patch using a web application firewall.
AnswerD

Virtual patching via WAF mitigates vulnerability while maintaining availability.

Why this answer

Option D is correct because a virtual patch via a web application firewall (WAF) can inspect and block exploit attempts against the vulnerability without modifying the legacy server's code or binaries. This allows the business-critical application to remain available while mitigating the 9.8 CVSS risk at the network layer, typically using signature-based or behavioral rules to intercept malicious payloads targeting the flaw.

Exam trap

CompTIA often tests the misconception that a critical vulnerability always requires immediate patching or removal, when in reality compensating controls like a WAF virtual patch are the preferred risk treatment for legacy systems that cannot be taken offline.

How to eliminate wrong answers

Option A is wrong because removing the system from the network would cause the exact application downtime the business requires to avoid, and it is an overly drastic measure when a compensating control exists. Option B is wrong because disabling the vulnerable service on the server would likely break the application's functionality, as the service is presumably the core web server process, and this also fails to address the business requirement for availability. Option C is wrong because accepting the risk and doing nothing ignores the critical severity (CVSS 9.8) and the high likelihood of exploitation, which is irresponsible without first attempting a compensating control like a WAF.

106
Multi-Selectmedium

Which conditions should push a vulnerability higher in the remediation queue? (Choose three.)

Select 3 answers
A.The asset supports a critical business process
B.The affected asset is internet-facing
C.Exploitation is observed in the wild
D.The CVE number is easy to remember
AnswersA, B, C

Business impact increases priority.

Why this answer

A is correct because assets supporting critical business processes have a higher impact on organizational operations if compromised. Vulnerability management prioritization frameworks, such as those aligned with the CVSS environmental score, assign greater weight to business criticality. Remediating vulnerabilities on these assets first reduces the risk of significant downtime, data loss, or regulatory non-compliance.

Exam trap

Cisco often tests the distinction between factors that increase likelihood (e.g., internet-facing, active exploitation) versus factors that increase impact (e.g., critical business process), and candidates may mistakenly prioritize vulnerabilities based solely on CVSS base score without considering environmental or threat intelligence inputs.

107
Multi-Selecthard

A vulnerability assessment has identified multiple issues. Which THREE actions are appropriate steps in the remediation process? (Choose three.)

Select 3 answers
A.Create a change request to apply the necessary patch or configuration change
B.Rescan the system immediately to confirm the vulnerability
C.Uninstall the affected software or service to remove the vulnerability
D.Research the vulnerability to understand its impact and remediation
E.Verify the remediation by performing a follow-up scan or test
AnswersA, D, E

Formal change management helps track and approve modifications.

Why this answer

Option A is correct because in a structured remediation process, applying a patch or configuration change requires a formal change request to ensure proper testing, approval, and documentation, minimizing the risk of unintended disruptions. This aligns with change management best practices in vulnerability management, where uncoordinated changes can introduce new vulnerabilities or break existing functionality.

Exam trap

Cisco often tests the misconception that immediate rescanning or drastic removal are valid remediation steps, when in fact the correct sequence requires research, controlled change implementation, and verification.

108
MCQmedium

A security analyst at a financial institution is responsible for vulnerability management. The company has a policy that all critical vulnerabilities must be remediated within 72 hours. The weekly vulnerability scan identifies a critical vulnerability on a file server that hosts sensitive customer data. The vulnerability is a remote code execution in the operating system. The server is running a legacy OS that is no longer supported by the vendor. The system owner states that the application on the server cannot be migrated to a newer OS for at least six months. The server cannot be taken offline because it is used by the compliance team for daily audits. Which of the following should the analyst recommend to best address the risk?

A.Remove the server from the network immediately.
B.Implement compensating controls such as network segmentation and host-based firewall rules.
C.Accept the risk and document the exception.
D.Apply a custom patch developed by the manufacturer.
AnswerB

Reduces risk while awaiting migration.

Why this answer

Option B is correct because when a critical vulnerability cannot be patched due to legacy OS constraints, compensating controls are the best approach to reduce risk. Network segmentation isolates the server from untrusted hosts, and host-based firewall rules restrict inbound/outbound traffic to only necessary ports and IPs, mitigating the remote code execution vector without taking the server offline.

Exam trap

CompTIA often tests the concept that compensating controls are the appropriate response when patching is impossible and business continuity is critical, tricking candidates into choosing risk acceptance (C) without considering that compensating controls must be implemented first.

How to eliminate wrong answers

Option A is wrong because immediately removing the server from the network would halt compliance audits, violating business requirements and potentially causing regulatory issues; it is an extreme measure not aligned with risk acceptance or compensating controls. Option C is wrong because accepting risk and documenting an exception without implementing any technical safeguards ignores the policy requiring remediation within 72 hours and leaves sensitive customer data exposed to remote code execution. Option D is wrong because the OS is no longer supported by the vendor, so no custom patch is available; applying an unsupported or unofficial patch could introduce instability or security flaws and is not a recommended practice.

109
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Run authenticated scans using least-privilege scanner credentials
B.Increase only the port range
C.Disable host firewalls permanently
D.Trust the unauthenticated result as complete
AnswerA

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Unauthenticated scans only enumerate open ports and services visible without credentials, missing the patch status of installed software because they cannot query the Windows registry or WMI for installed updates. Running authenticated scans with least-privilege credentials allows the scanner to log into each target and retrieve detailed patch data via the Windows Update Agent API or registry keys, revealing missing patches that were previously invisible. This directly addresses the security manager's suspicion of missing patch data without introducing unnecessary risk.

Exam trap

Cisco often tests the misconception that increasing scan depth (e.g., port range or intensity) compensates for lack of authentication, but the trap here is that patch data is only accessible through authenticated access, not by broader network scanning.

How to eliminate wrong answers

Option B is wrong because increasing only the port range expands the network-layer scan but still cannot access patch-level information without authentication; it only finds more open ports, not missing patches. Option C is wrong because permanently disabling host firewalls exposes the servers to network-based attacks and does not enable the scanner to retrieve patch data—authentication is required, not firewall bypass. Option D is wrong because trusting the unauthenticated result as complete ignores the fundamental limitation that unauthenticated scans cannot assess patch status, leaving the organization vulnerable to known exploits that the scanner missed.

110
MCQhard

Based on the exhibit, which vulnerability should the analyst prioritize for remediation?

A.Squid http proxy 3.5.20
B.OpenSSH 7.4
C.Apache httpd 2.4.6
D.MySQL 5.5.62
AnswerD

MySQL 5.5.62 is end-of-life and has multiple critical remote code execution vulnerabilities.

Why this answer

MySQL 5.5.62 is end-of-life (EOL) and no longer receives security patches, making it vulnerable to known exploits such as CVE-2016-6662 (privilege escalation via crafted my.cnf) and CVE-2016-6663 (privilege escalation via REPAIR TABLE). The analyst should prioritize this because the lack of vendor support means any discovered vulnerability will remain unpatched, posing a critical risk to data confidentiality and integrity.

Exam trap

CompTIA often tests the concept that end-of-life software with no vendor support is a higher priority than older but still-supported versions, even if the latter have known CVEs, because unsupported software will never receive patches for future vulnerabilities.

How to eliminate wrong answers

Option A is wrong because Squid http proxy 3.5.20 is not the highest priority; while it may have vulnerabilities, it is not EOL and typically has a lower CVSS score compared to an unsupported database. Option B is wrong because OpenSSH 7.4, though older, is still supported in many enterprise distributions (e.g., RHEL 7 backports security fixes) and does not represent an immediate EOL risk like MySQL 5.5.62. Option C is wrong because Apache httpd 2.4.6 is also still supported in some long-term support distributions (e.g., RHEL 7) and does not carry the same criticality as an unsupported database server that stores sensitive data.

111
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
B.Delete the server from the scan scope
C.Change the severity to informational automatically
D.Close the finding because the owner disagrees
AnswerA

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option A is correct because the best validation method is to independently verify the server's TLS configuration by manually testing with a TLS client (e.g., OpenSSL s_client) or a scanner profile that explicitly attempts to negotiate TLS 1.0. This eliminates false positives from automated scanners that may rely on banner grabbing or outdated fingerprints, and directly confirms whether the service accepts TLS 1.0 handshakes at the protocol level.

Exam trap

The trap here is that candidates assume the scanner's automated result is always accurate and choose to change severity or remove the finding, rather than understanding that validation through independent protocol negotiation is the required step before any risk-based prioritization.

How to eliminate wrong answers

Option B is wrong because deleting the server from the scan scope ignores the potential vulnerability entirely, failing to validate the finding and leaving the organization exposed if TLS 1.0 is actually enabled. Option C is wrong because automatically changing the severity to informational without validation could mask a real risk; severity should be based on verified technical evidence, not automated assumptions, and this bypasses proper risk assessment.

112
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Close the finding because the owner disagrees
B.Change the severity to informational automatically
C.Delete the server from the scan scope
D.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
AnswerD

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option D is correct because the best validation method is to manually test the service using a TLS client (e.g., OpenSSL s_client) or a scanner profile that explicitly attempts to negotiate TLS 1.0. This directly verifies whether the server truly rejects TLS 1.0 handshakes, eliminating false positives from scanner misconfiguration or version negotiation quirks. Relying on the owner's assertion or altering the finding without technical proof would violate vulnerability management best practices.

Exam trap

CompTIA often tests the misconception that a service owner's claim or a scanner's default severity should override manual technical verification, tempting candidates to choose administrative actions (A, B, C) instead of the rigorous validation step (D).

How to eliminate wrong answers

Option A is wrong because closing a finding solely because the owner disagrees ignores the need for technical validation and hides potential risk. Option B is wrong because automatically changing severity to informational without testing conceals the actual risk level and violates the principle of risk transparency. Option C is wrong because deleting the server from scan scope removes visibility entirely, which is an extreme and inappropriate response that does not address the underlying protocol weakness.

113
MCQhard

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For validation, Which action should be taken before closing or downgrading the finding?

A.Create a duplicate ticket for every asset
B.A retest showing the vulnerable condition is no longer present
C.Close it immediately based on the email
D.Wait one year before testing
AnswerB

Closure should be based on validation evidence, not only a remediation claim.

Why this answer

Option B is correct because the vulnerability manager must obtain objective evidence that the fix was successfully applied and the vulnerability is no longer exploitable. A retest—typically performed via authenticated scanning or manual verification—confirms the absence of the vulnerable condition, aligning with the remediation validation phase in the vulnerability management lifecycle. Closing based solely on a team's email (Option C) violates the principle of verify, not trust, and could leave residual risk unaddressed.

Exam trap

Cisco often tests the principle that vulnerability closure requires independent verification (retest) rather than accepting a team's assertion, and the trap here is that candidates may think an email confirmation is sufficient because it comes from the responsible team, ignoring the need for objective evidence.

How to eliminate wrong answers

Option A is wrong because creating a duplicate ticket for every asset introduces unnecessary administrative overhead and does not provide any validation that the patch was applied or effective; it merely duplicates work without confirming remediation. Option C is wrong because closing a finding based solely on an email from the team bypasses the required verification step; the vulnerability manager must independently confirm the fix through a retest or equivalent evidence, as the team's claim could be mistaken or incomplete.

114
MCQmedium

A vulnerability scanner reports that an internal web application is vulnerable to SQL injection. The development team says they fixed it by input sanitization. Which of the following should the analyst do FIRST?

A.Update the vulnerability report
B.Perform a manual penetration test
C.Rescan the application to confirm remediation
D.Review the code changes
AnswerC

Rescanning provides immediate evidence of whether the vulnerability is resolved.

Why this answer

Option C is correct because the first step after a claimed fix is to verify the remediation by rescanning the application with the same vulnerability scanner. This provides objective evidence that the SQL injection vector is no longer exploitable, confirming the input sanitization was effective before any further actions are taken.

Exam trap

CompTIA often tests the misconception that reviewing code changes is the immediate next step, but the correct first action is always to verify the fix with the same scanning tool to maintain an objective audit trail.

How to eliminate wrong answers

Option A is wrong because updating the vulnerability report without verifying the fix could propagate false information and lead to compliance issues. Option B is wrong because performing a manual penetration test is a valid next step but should come after automated rescanning to confirm the basic fix, as it is more resource-intensive and may miss simple residual issues. Option D is wrong because reviewing code changes is a development task and not the analyst's first action; the analyst should first confirm the fix via scanning to maintain an objective security posture.

115
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For validation, Which action should be taken before closing or downgrading the finding?

A.Ship the image and document nothing
B.Validate exploitability and rebuild from a patched base image where feasible
C.Only rename the image tag
D.Ignore all base-image vulnerabilities
AnswerB

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option B is correct because the best next step is to validate whether the vulnerable OpenSSL binary is actually exploitable in the container's runtime context (e.g., it may be a statically linked unused library or a dead code path). If the binary is truly unused, the team should still rebuild from a patched base image where feasible to maintain a clean supply chain and avoid false-positive fatigue; if it is used, the vulnerability must be remediated. This balances security rigor with operational pragmatism, aligning with vulnerability management best practices for containerized environments.

Exam trap

CompTIA often tests the misconception that a vulnerability can be safely ignored simply because the application team claims the binary is unused, without requiring validation or a documented risk acceptance process.

How to eliminate wrong answers

Option A is wrong because shipping the image without documentation violates security policy and audit requirements, leaving no record of the risk acceptance decision. Option C is wrong because renaming the image tag does not change the vulnerable base layer; the CVE remains present and exploitable if the binary is used. Option D is wrong because ignoring all base-image vulnerabilities is negligent; even if this specific CVE is not exploitable, other vulnerabilities in the same base layer could be active, and blanket ignoring undermines the CI pipeline's security gates.

116
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Remediate alphabetically by CVE ID
B.Remediate only vulnerabilities with vendor logos in the report
C.Prioritize the KEV/high-EPSS issue after confirming asset exposure
D.Always sort only by CVSS base score
AnswerC

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option C is correct because CISA KEV and high EPSS indicate active exploitation in the wild, making the medium CVSS vulnerability a higher operational priority than non-exploitable high CVSS issues. The analyst must first confirm asset exposure to ensure the vulnerability actually affects the environment before recommending remediation. This aligns with risk-based vulnerability management (RBVM) principles, which prioritize exploitability and threat intelligence over CVSS base score alone.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, but the trap here is that a medium CVSS vulnerability with KEV/high EPSS is more urgent than high CVSS issues that are not exploitable in the environment.

How to eliminate wrong answers

Option A is wrong because sorting alphabetically by CVE ID ignores all risk factors (CVSS, KEV, EPSS, exploitability) and would waste resources on low-priority findings. Option B is wrong because vendor logos in a report do not correlate with exploitability or business risk; a vulnerability may lack a vendor logo yet still be actively exploited and critical to remediate.

117
Multi-Selecthard

An emergency patch may break a revenue-critical system. Which actions balance risk and availability? (Choose two.)

Select 2 answers
A.Test the patch in a representative staging environment
B.Apply temporary compensating controls while preparing deployment
C.Disable monitoring to avoid alerts during the change
D.Ignore active exploitation until the next annual review
AnswersA, B

Testing reduces outage risk.

Why this answer

Option A is correct because testing the emergency patch in a representative staging environment that mirrors the production system's configuration, dependencies, and load allows you to identify potential breaking changes before deployment. This balances risk by validating the patch's impact on revenue-critical systems while maintaining availability, as any failures are contained in the test environment. Option B is correct because applying temporary compensating controls—such as additional monitoring, rate limiting, or failover mechanisms—provides a safety net that reduces the blast radius of a potential patch failure, enabling you to proceed with deployment while preserving system availability.

Exam trap

Cisco often tests the misconception that disabling monitoring reduces operational overhead during changes, but the trap here is that it actually increases risk by removing the ability to detect and respond to failures, which is essential for maintaining availability in revenue-critical systems.

118
Multi-Selecthard

A team requests a patch exception for a legacy application. What should be required? (Choose two.)

Select 2 answers
A.Documented compensating controls and monitoring
B.A time-bound owner-approved risk acceptance
C.Removal of the asset from inventory
D.Permanent suppression from all reports
AnswersA, B

Controls reduce risk while the vulnerability remains.

Why this answer

A is correct because when a patch cannot be applied to a legacy application, compensating controls (e.g., network segmentation, host-based firewall rules, or input validation) must be documented to mitigate the specific vulnerabilities the patch would address. Monitoring must also be implemented to detect any exploitation attempts against those unpatched weaknesses, ensuring the residual risk is continuously observed. This aligns with the vulnerability management lifecycle where exceptions require evidence of alternative risk reduction, not just a waiver.

Exam trap

Cisco often tests that candidates confuse 'compensating controls' with 'removal from inventory' as a quick fix, but the trap here is that removing the asset is a separate action (decommissioning), not a valid component of a patch exception process.

119
Multi-Selectmedium

A vulnerability manager wants accurate Linux package findings. Which scan conditions are important? (Choose two.)

Select 2 answers
A.Authenticated access to inspect installed packages
B.Scanner account permissions sufficient for inventory commands
C.Only scanning ICMP echo replies
D.Changing server hostnames randomly
AnswersA, B

Local package state usually requires credentials.

Why this answer

For accurate Linux package findings, the vulnerability scanner must have authenticated access (e.g., via SSH with valid credentials) to inspect installed packages directly from the package manager database (e.g., RPM or dpkg). Without authentication, the scanner can only perform unauthenticated network-based checks, which cannot reliably determine installed software versions or patch levels. Authenticated access ensures the scanner can execute commands like 'rpm -qa' or 'dpkg -l' to enumerate packages with high accuracy.

Exam trap

Cisco often tests the misconception that unauthenticated network scans (e.g., banner grabbing or ICMP) can replace authenticated scans for accurate software inventory, but only authenticated access with proper permissions yields reliable package-level findings.

120
MCQmedium

A security analyst discovers a server that is missing multiple critical patches. The server hosts a legacy application that cannot be patched immediately due to compatibility issues. Which of the following is the BEST approach to manage the vulnerability risk?

A.Apply a virtual patch using a WAF
B.Implement network segmentation and increase monitoring
C.Disable the server until a patch is available
D.Remove the server from the network
AnswerB

This reduces risk by isolating the server and enabling detection of attacks.

Why this answer

Option B is the best approach because network segmentation isolates the vulnerable legacy server from critical assets, reducing the attack surface, while increased monitoring allows the security team to detect and respond to any exploitation attempts in real time. This balances risk acceptance with active defense, which is a core principle of vulnerability management when patching is not immediately feasible.

Exam trap

The trap here is that candidates often choose 'Apply a virtual patch using a WAF' because they overestimate the scope of WAF protection, forgetting that it only covers web-based attacks and not OS-level or protocol-level vulnerabilities.

How to eliminate wrong answers

Option A is wrong because a WAF (Web Application Firewall) applies virtual patches only at the application layer (HTTP/HTTPS), and cannot protect against vulnerabilities in other services (e.g., SMB, RDP, or OS-level exploits) that the legacy server may expose. Option C is wrong because disabling the server entirely disrupts business operations and is an overly drastic measure that does not align with risk management best practices unless the vulnerability is critical and actively exploited. Option D is wrong because removing the server from the network completely halts its function and is equivalent to decommissioning, which is not a temporary risk management strategy and ignores the need to maintain business continuity.

121
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For validation, Which action should be taken before closing or downgrading the finding?

A.Run only unauthenticated scans forever
B.Disable SSH on all servers
C.Assume the hosts have no vulnerabilities
D.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
AnswerD

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

Option D is correct because SSH hardening (e.g., disabling password authentication, restricting ciphers, or enforcing key-based login) can break credentialed scans if the scanner's account permissions, allowed authentication methods, or sudo command restrictions are not aligned with the new configuration. Reviewing these settings ensures the scanner can authenticate and execute privileged commands, restoring scan coverage without compromising security.

Exam trap

Cisco often tests the misconception that a scan failure after hardening means the hosts are secure, when in reality the failure is a connectivity or authentication issue that must be resolved to maintain visibility.

How to eliminate wrong answers

Option A is wrong because running only unauthenticated scans forever would miss critical vulnerabilities that require authenticated access (e.g., local privilege escalation, missing patches), violating best practices for comprehensive vulnerability management. Option B is wrong because disabling SSH on all servers would break remote administration and defeat the purpose of scanning; SSH is the standard secure remote access protocol, and disabling it is not a viable remediation. Option C is wrong because assuming hosts have no vulnerabilities after a scan failure is a dangerous assumption; the scan failure indicates a configuration issue, not an absence of vulnerabilities, and could lead to unpatched systems being exploited.

122
Matchingmedium

Match each attack type to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Deceptive email to steal credentials

Malware that encrypts data for ransom

Overwhelming a service with traffic

Injecting malicious SQL queries

Intercepting communication between parties

Why these pairings

These are common attack vectors covered in CySA+.

123
MCQeasy

A supplier provides a software product used in a regulated environment. The security team wants visibility into included libraries and versions. What should they request? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.A software bill of materials
B.A building floor plan
C.A password complexity screenshot only
D.A DNS MX record report
AnswerA

An SBOM lists software components and versions, supporting dependency risk analysis.

Why this answer

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory (often in SPDX or CycloneDX format) that lists all third-party libraries, their versions, and dependencies. In a regulated environment, this provides the security team with the visibility needed to assess vulnerabilities (e.g., Log4Shell) and ensure compliance with standards like NIST SP 800-53 or FDA cybersecurity guidance. Requesting an SBOM is the standard practice for supply chain risk management.

Exam trap

Cisco often tests the distinction between operational security artifacts (like password policies or DNS records) and the specific supply chain documentation (SBOM) required for software composition analysis, leading candidates to confuse general security controls with component inventory.

How to eliminate wrong answers

Option B is wrong because a building floor plan is a physical security document unrelated to software library inventory or version tracking. Option C is wrong because a password complexity screenshot only verifies a single authentication policy, not the composition of included libraries and their versions. Option D is wrong because a DNS MX record report lists mail exchange servers for email routing, not software components or their versions.

124
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Increase only the port range
B.Trust the unauthenticated result as complete
C.Run authenticated scans using least-privilege scanner credentials
D.Disable host firewalls permanently
AnswerC

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Unauthenticated scans rely on network-visible services and banners, which miss registry-level patch data, OS configuration details, and installed updates. Authenticated scans with least-privilege credentials (e.g., using WMI, WinRM, or the Windows Update API) provide deep visibility into missing patches by querying the actual patch database (e.g., via the Microsoft Update Catalog or WSUS). This directly addresses the security manager's suspicion of missing patch data, making option C the correct choice.

Exam trap

Cisco often tests the misconception that increasing scan scope (ports, protocols) or disabling firewalls can substitute for proper authentication, when in fact only credentialed scanning provides the access needed to assess patch levels accurately.

How to eliminate wrong answers

Option A is wrong because increasing the port range only expands the number of ports scanned for open services; it does not enable credential-based access to patch information, so missing patch data remains invisible. Option B is wrong because trusting unauthenticated results as complete ignores the fundamental limitation that unauthenticated scans cannot access registry, file system, or WMI data needed to verify patch levels, leading to false negatives. Option D is wrong because disabling host firewalls permanently is an insecure and drastic measure that does not grant the scanner the necessary privileges to read patch data; it only removes network-level access controls, not the authentication requirement.

125
Multi-Selectmedium

Which three of the following are effective techniques for prioritizing vulnerabilities for remediation in a vulnerability management program? (Choose three.)

Select 3 answers
.Applying the Common Vulnerability Scoring System (CVSS) base score as the sole prioritization metric
.Correlating vulnerabilities with active exploit campaigns and threat intelligence feeds
.Using asset criticality ratings derived from business impact analysis (BIA)
.Prioritizing vulnerabilities based solely on the age of the CVE
.Incorporating compensating controls that may reduce the effective risk of a vulnerability
.Focusing remediation efforts exclusively on vulnerabilities with a CVSS score of 9.0 or higher

Why this answer

Correlating vulnerabilities with active exploit campaigns and threat intelligence feeds is effective because it prioritizes vulnerabilities that are currently being exploited in the wild, which directly reduces the risk of a breach. This approach aligns remediation with real-world attacker behavior rather than theoretical severity.

Exam trap

CompTIA often tests the misconception that CVSS base scores alone are sufficient for prioritization, when in fact they must be combined with asset criticality, threat context, and compensating controls to reflect true organizational risk.

126
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Mark the vulnerability as fixed
B.Documented risk acceptance with compensating controls and a migration/remediation plan
C.Remove the system from future reports
D.Give all users local admin rights
AnswerB

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

When a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager must formally document the risk acceptance, implement compensating controls (e.g., network segmentation, host-based firewall rules, or application whitelisting), and create a migration or remediation plan to eventually retire or replace the system. This approach transparently acknowledges the residual risk rather than hiding it, aligning with the principle of risk treatment as defined in NIST SP 800-53 and ISO 27005.

Exam trap

Cisco often tests the misconception that removing a system from reports or marking it as fixed is an acceptable shortcut, when in fact the correct process requires formal risk acceptance with compensating controls and a documented plan.

How to eliminate wrong answers

Option A is wrong because marking a vulnerability as 'fixed' when no patch has been applied is a false status that misrepresents the actual risk posture and violates vulnerability management policy. Option C is wrong because removing the system from future reports hides the risk from stakeholders and bypasses the necessary risk acceptance process, which is a security governance failure. Option D is wrong because granting all users local admin rights would increase the attack surface and privilege escalation risk, directly contradicting the principle of least privilege and making the system even more vulnerable.

127
Multi-Selectmedium

Which pipeline controls help prevent vulnerable dependencies reaching production? (Choose two.)

Select 2 answers
A.SBOM generation and review for released builds
B.Manual badge checks at the office door
C.Software composition analysis with policy gates
D.DNS MX record rotation
AnswersA, C

SBOMs support dependency tracking and downstream risk review.

Why this answer

A is correct because SBOM (Software Bill of Materials) generation and review provides a detailed inventory of all components in a build, enabling teams to identify and block vulnerable dependencies before release. This aligns with supply chain security best practices, as SBOMs allow automated comparison against vulnerability databases (e.g., NVD) to enforce policy gates early in the pipeline.

Exam trap

Cisco often tests the distinction between pipeline-level controls (automated, code-focused) and physical or administrative controls, so candidates may mistakenly select a non-technical option like badge checks because they confuse 'pipeline' with general security procedures.

128
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For validation, Which action should be taken before closing or downgrading the finding?

A.Wireless spectrum analysis
B.Database transaction log backups
C.Software composition analysis in the CI/CD pipeline
D.Physical badge access reviews
AnswerC

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software composition analysis (SCA) is the correct control because it specifically scans open-source libraries and their dependencies for known vulnerabilities (CVEs) and license compliance issues. Integrating SCA into the CI/CD pipeline ensures that vulnerable libraries are identified automatically before the code is deployed, aligning with the shift-left security principle.

Exam trap

Cisco often tests the distinction between vulnerability identification (SCA) and operational controls (backups, spectrum analysis), leading candidates to confuse general security practices with the specific need for open-source library scanning.

How to eliminate wrong answers

Option A is wrong because wireless spectrum analysis is used to detect rogue access points, interference, or unauthorized wireless devices, not to analyze software libraries. Option B is wrong because database transaction log backups are a data recovery and integrity measure, not a method for identifying vulnerabilities in open-source code.

129
Multi-Selecthard

A web application DAST scan reports stored XSS. Which evidence helps confirm exploitability? (Choose two.)

Select 2 answers
A.Payload persists and executes when another user views the affected page
B.The vulnerable parameter and output encoding context are identified
C.The server has a large disk
D.The application uses HTTPS
AnswersA, B

Stored execution against another user validates impact.

Why this answer

Option A is correct because stored XSS is confirmed exploitable only when the injected payload (e.g., <script>alert(1)</script>) is persistently stored on the server (e.g., in a database or file) and then rendered and executed in the browser of another user who views the affected page. This demonstrates that the attack can impact victims beyond the tester, proving the vulnerability is not self-inflicted or limited to the attacker's session.

Exam trap

Cisco often tests the distinction between identifying a vulnerability's context (Option B) and actually proving it is exploitable (Option A), leading candidates to confuse analysis steps with exploitation evidence.

130
MCQhard

During a vulnerability scan, the scanner reports a high number of open ports on a server that is supposed to be a hardened web server. The analyst investigates and finds that the server is running unnecessary services. Which of the following is the MOST effective long-term solution?

A.Implement a configuration management baseline and enforce it
B.Disable the unnecessary services manually
C.Increase the frequency of vulnerability scans
D.Install a host-based firewall to block the ports
AnswerA

Configuration management ensures consistent hardening and drift detection.

Why this answer

Implementing a configuration management baseline and enforcing it (Option A) is the most effective long-term solution because it ensures that the server is consistently provisioned with only the necessary services and configurations. This approach uses tools like Ansible, Puppet, or Chef to automatically remediate drift, preventing unnecessary services from reappearing after manual changes or reboots. It addresses the root cause by codifying the desired state, rather than relying on ad-hoc fixes.

Exam trap

CompTIA often tests the distinction between detection (scanning) and remediation (configuration management), and the trap here is that candidates choose a reactive control like a firewall or manual disabling instead of the proactive, automated enforcement that prevents the issue from recurring.

How to eliminate wrong answers

Option B is wrong because manually disabling unnecessary services is a temporary, non-scalable fix that does not prevent the services from being re-enabled during updates or reboots, and it lacks auditability and enforcement. Option C is wrong because increasing the frequency of vulnerability scans only detects the problem more often; it does not remediate the root cause of unnecessary services running. Option D is wrong because installing a host-based firewall to block ports only masks the vulnerability by hiding the open ports from scans, but the unnecessary services remain running and could still be exploited via local access or other attack vectors.

131
MCQhard

A development team wants to find vulnerable open-source libraries before deployment. Which control best fits this stage? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Database transaction log backups
B.Physical badge access reviews
C.Wireless spectrum analysis
D.Software composition analysis in the CI/CD pipeline
AnswerD

SCA identifies vulnerable third-party dependencies and can gate builds before release.

Why this answer

Software Composition Analysis (SCA) is the correct control because it specifically scans open-source libraries for known vulnerabilities (CVEs) and license compliance issues. Integrating SCA into the CI/CD pipeline ensures vulnerabilities are detected and blocked before the code is deployed, aligning with the 'shift left' security principle. This directly addresses the team's goal of finding vulnerable open-source libraries pre-deployment.

Exam trap

CompTIA often tests the concept that 'shift left' security controls like SCA are distinct from operational or physical security controls, and the trap here is confusing vulnerability scanning of code with unrelated security processes like backups or physical access reviews.

How to eliminate wrong answers

Option A is wrong because database transaction log backups are a data recovery and integrity control, not a method for scanning open-source libraries for vulnerabilities. Option B is wrong because physical badge access reviews control physical access to facilities, not the security of software dependencies in a development pipeline. Option C is wrong because wireless spectrum analysis detects RF interference and rogue access points, not vulnerabilities in open-source code libraries.

132
MCQeasy

Two servers have the same critical vulnerability. One hosts a public payment API; the other is a lab server isolated from production. What changes the remediation priority? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.The colour of the scanner dashboard
B.The number of installed fonts
C.Whether the hostname is shorter
D.Asset criticality, exposure, and business impact
AnswerD

The same CVE can represent different risk depending on where it exists and what the asset supports.

Why this answer

D is correct because remediation priority is determined by asset criticality, exposure, and business impact, not by superficial attributes. The public payment API has high business impact and exposure, making it a higher priority than the isolated lab server, even though both share the same vulnerability. This aligns with risk-based vulnerability management principles where context (e.g., data sensitivity, network reachability) drives patching order.

Exam trap

Cisco often tests the misconception that all vulnerabilities with the same CVE should be treated equally, ignoring the risk-based prioritization that considers asset criticality, exposure, and business impact.

How to eliminate wrong answers

Option A is wrong because the colour of the scanner dashboard is a cosmetic UI element with no bearing on risk assessment or remediation priority. Option B is wrong because the number of installed fonts is irrelevant to vulnerability severity, exploitability, or business context. Option C is wrong because hostname length has no technical relationship to risk; a shorter hostname does not indicate higher exposure or criticality.

133
MCQmedium

A company has implemented a vulnerability management program. The security team needs to ensure that all critical vulnerabilities are remediated within 30 days. Which of the following metrics would BEST measure the effectiveness of this goal?

A.Number of critical vulnerabilities detected per month
B.Number of rescan results showing vulnerability closure
C.Percentage of systems with up-to-date patches
D.Mean time to remediate critical vulnerabilities
AnswerD

This metric directly measures whether the 30-day goal is being met.

Why this answer

The goal is to ensure all critical vulnerabilities are remediated within 30 days. Mean time to remediate (MTTR) directly measures the average time taken to fix critical vulnerabilities, making it the best metric to assess compliance with the 30-day remediation window. Other metrics, such as detection counts or patch levels, do not capture the timeliness of remediation.

Exam trap

Cisco often tests the distinction between measuring remediation activity (e.g., number of closures) versus measuring remediation timeliness (e.g., MTTR), leading candidates to pick Option B because they confuse 'closure count' with 'time to closure.'

How to eliminate wrong answers

Option A is wrong because the number of critical vulnerabilities detected per month measures the volume of new findings, not how quickly or effectively they are fixed; a high detection count could coexist with slow remediation. Option B is wrong because the number of rescan results showing vulnerability closure indicates that some fixes have been applied, but it does not measure the time taken to achieve closure, so it cannot verify the 30-day deadline. Option C is wrong because the percentage of systems with up-to-date patches is a broad compliance metric that may include non-critical patches and does not specifically track the remediation timeline for critical vulnerabilities.

134
MCQmedium

A scan of Windows servers reports few findings, but the scanner used no credentials. The security manager suspects missing patch data. What should be changed? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Disable host firewalls permanently
B.Increase only the port range
C.Run authenticated scans using least-privilege scanner credentials
D.Trust the unauthenticated result as complete
AnswerC

Authenticated scanning gives the scanner access to installed software and patch state, improving accuracy.

Why this answer

Without credentials, a vulnerability scanner can only perform unauthenticated checks, which miss many Windows patch vulnerabilities that require registry or file-level access. Running authenticated scans with least-privilege credentials allows the scanner to query the Windows Update Agent API and check installed KBs, providing accurate patch data. This directly addresses the security manager's concern about missing patch data.

Exam trap

Cisco often tests the misconception that increasing scan scope (ports or targets) or disabling security controls will improve vulnerability detection, when the real fix is enabling authenticated access to gather patch-level data.

How to eliminate wrong answers

Option A is wrong because permanently disabling host firewalls exposes the server to network-based attacks and violates the principle of least functionality; it does not help the scanner obtain patch data. Option B is wrong because increasing the port range only expands the network surface for unauthenticated scans, which still cannot access the registry or file system to verify installed patches.

135
MCQhard

A team says a critical vulnerability was patched. What should the vulnerability manager require before closure? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Close it immediately based on the email
B.Wait one year before testing
C.A retest showing the vulnerable condition is no longer present
D.Create a duplicate ticket for every asset
AnswerC

Closure should be based on validation evidence, not only a remediation claim.

Why this answer

Option C is correct because the vulnerability manager must obtain objective evidence that the vulnerability has been remediated before closing the finding. An email assertion is insufficient; a retest (manual or automated) confirming the vulnerable condition is no longer present provides the verifiable proof required for closure and defensible stakeholder reporting.

Exam trap

Cisco often tests the misconception that a verbal or written assertion from the remediation team is sufficient for closure, when in fact the CompTIA framework requires objective evidence (a retest) to maintain an auditable and defensible vulnerability management program.

How to eliminate wrong answers

Option A is wrong because closing a vulnerability based solely on an email from the team bypasses the verification step, leaving the organization exposed if the patch was incomplete or misapplied. Option B is wrong because waiting one year before testing introduces an unacceptable delay, during which the vulnerability could be exploited, and violates the principle of timely remediation verification.

136
MCQhard

During a penetration test, an analyst successfully exploits a privilege escalation vulnerability to gain root access on a Linux server. The server is used for application development. Which of the following remediation actions would be MOST effective in preventing similar attacks?

B.Harden the kernel using sysctl parameters
C.Implement application whitelisting
D.Apply the principle of least privilege to user accounts
AnswerD

Least privilege limits what an attacker can gain after initial access, reducing the impact.

Why this answer

The principle of least privilege ensures that users and processes have only the minimum permissions necessary to perform their tasks. By applying this to user accounts, the attack surface for privilege escalation is reduced because even if an account is compromised, the attacker cannot easily escalate to root. This directly addresses the root cause of the vulnerability exploited in the scenario.

Exam trap

CompTIA often tests the distinction between detection (HIDS), system hardening (sysctl), execution control (whitelisting), and access control (least privilege), expecting candidates to recognize that preventing privilege escalation requires limiting permissions rather than just monitoring or restricting specific binaries.

How to eliminate wrong answers

Option A is wrong because a host intrusion detection system (HIDS) can detect suspicious activity after the fact but does not prevent the privilege escalation vulnerability from being exploited. Option B is wrong because hardening the kernel with sysctl parameters (e.g., disabling core dumps or restricting kernel module loading) does not address the underlying misconfiguration or weak permissions that allowed the escalation. Option C is wrong because application whitelisting controls which executables can run, but it does not prevent an attacker from abusing legitimate tools or scripts to escalate privileges once they have a foothold.

137
Drag & Dropmedium

Order the steps for a typical patch management process.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Patch management includes identification, testing, approval, deployment, and verification.

138
MCQhard

A scanner flags TLS 1.0 on a server, but the service owner says TLS 1.0 is disabled. What is the BEST validation method? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Close the finding because the owner disagrees
B.Manually test the service with a TLS client or scanner profile that negotiates protocol versions
C.Change the severity to informational automatically
D.Delete the server from the scan scope
AnswerB

Direct protocol validation determines whether TLS 1.0 is actually accepted.

Why this answer

Option B is correct because the scanner may have detected TLS 1.0 due to a false positive from a misconfigured cipher suite or a server-side protocol negotiation artifact. Manually testing with a TLS client (e.g., OpenSSL s_client -tls1) or a scanner profile that explicitly negotiates protocol versions provides definitive evidence of whether TLS 1.0 is actually enabled, resolving the discrepancy between the scanner result and the owner's claim.

Exam trap

Cisco often tests the misconception that a scanner's automated result is always authoritative, when in fact manual validation is required to confirm protocol-level findings, especially when the service owner disputes the result.

How to eliminate wrong answers

Option A is wrong because closing a finding solely because the owner disagrees, without independent validation, violates due diligence and could leave an unpatched vulnerability in production. Option C is wrong because changing severity to informational without technical verification bypasses proper risk assessment and may hide a real vulnerability from remediation tracking. Option D is wrong because deleting the server from the scan scope removes visibility entirely, preventing future detection of the issue and undermining the vulnerability management program's defensibility.

139
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For stakeholder management, Which documentation or approval is required to keep the programme defensible?

A.Assume the hosts have no vulnerabilities
B.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
C.Disable SSH on all servers
D.Run only unauthenticated scans forever
AnswerB

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

Option B is correct because SSH hardening (e.g., disabling password authentication, restricting ciphers, or enforcing key-based login) often breaks the scanner's ability to authenticate. The best next step is to review the scanner account's permissions, allowed authentication methods (e.g., public key vs. password), and sudo command restrictions to ensure the scanner can still execute the necessary commands for credentialed scanning without compromising security.

Exam trap

Cisco often tests the misconception that a failed credentialed scan means the host is secure, when in reality it indicates an authentication or permission issue that must be resolved to maintain scan coverage.

How to eliminate wrong answers

Option A is wrong because assuming hosts have no vulnerabilities after a failed scan is a dangerous security oversight; a failed scan does not prove absence of vulnerabilities, only that the scanner could not authenticate. Option C is wrong because disabling SSH on all servers would break all remote administration and is an extreme, unnecessary measure that does not address the scanner's authentication failure. Option D is wrong because running only unauthenticated scans forever would miss deep vulnerabilities (e.g., missing patches, misconfigurations) that require authenticated access to detect, violating vulnerability management best practices.

140
MCQeasy

A company has a policy to remediate vulnerabilities within 30 days. A critical vulnerability is discovered on a database server. The patch requires a reboot, and the database cannot be taken offline during business hours. Which of the following is the BEST approach?

A.Implement a compensating control
B.Apply a hotfix without reboot
C.Schedule the patch during the next maintenance window
D.Extend the remediation deadline
AnswerA

Compensating controls reduce risk immediately while planning for patching.

Why this answer

Option A is correct because when a critical vulnerability requires a patch that mandates a reboot, but the database cannot be taken offline during business hours, implementing a compensating control (such as network segmentation, strict firewall rules, or an intrusion prevention system (IPS) signature) reduces the risk to an acceptable level until the patch can be applied. This aligns with the 30-day remediation policy by addressing the vulnerability without violating operational constraints.

Exam trap

CompTIA often tests the misconception that 'schedule the patch during the next maintenance window' is always acceptable, but the trap here is that the 30-day remediation deadline is a hard policy requirement, and scheduling alone does not guarantee compliance if the window is beyond 30 days.

How to eliminate wrong answers

Option B is wrong because applying a hotfix without reboot is not feasible for a patch that explicitly requires a reboot to complete installation; a hotfix that does not require a reboot would need to be specifically designed for that purpose, and the scenario does not indicate such a hotfix exists. Option C is wrong because scheduling the patch during the next maintenance window may exceed the 30-day remediation deadline if the window falls outside that timeframe, and the policy requires remediation within 30 days, not merely scheduling. Option D is wrong because extending the remediation deadline violates the company's explicit policy to remediate vulnerabilities within 30 days, and it does not actively reduce risk during the extension period.

141
MCQhard

A credentialed Linux scan fails on several hosts after SSH hardening. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Disable SSH on all servers
B.Assume the hosts have no vulnerabilities
C.Review scanner account permissions, allowed authentication methods, and sudo command restrictions
D.Run only unauthenticated scans forever
AnswerC

Credentialed scans depend on authentication and sufficient read access to inspect packages and configuration.

Why this answer

Option C is correct because SSH hardening (e.g., disabling password authentication, restricting ciphers, or enforcing key-based login) can break credentialed scans if the scanner's account lacks proper permissions or uses an unsupported authentication method. The best next step is to verify that the scanner's SSH key or password is accepted, that the account has sudo privileges for required commands (e.g., `sudo -n` for non-interactive execution), and that no `sudoers` restrictions block the scanner's commands. This directly addresses the root cause without compromising security.

Exam trap

Cisco often tests the misconception that a scan failure after hardening means the hosts are secure, when in reality it signals a configuration mismatch that must be resolved to restore visibility.

How to eliminate wrong answers

Option A is wrong because disabling SSH on all servers would eliminate remote management and scanning entirely, violating security best practices and causing operational disruption; the issue is misconfiguration, not a need to remove SSH. Option B is wrong because assuming hosts have no vulnerabilities after a scan failure is a dangerous security blind spot—credentialed scans provide deeper visibility, and the failure indicates a configuration problem, not an absence of vulnerabilities.

142
MCQmedium

A legacy system cannot be patched because the vendor no longer supports the application. What should the vulnerability manager request? For tool configuration, Which scanner or pipeline change most directly improves result quality?

A.Give all users local admin rights
B.Documented risk acceptance with compensating controls and a migration/remediation plan
C.Mark the vulnerability as fixed
D.Remove the system from future reports
AnswerB

Unsupported systems need formal exception handling, mitigation, ownership, and an exit path.

Why this answer

Option B is correct because when a legacy system cannot be patched due to vendor end-of-life, the vulnerability manager must formally accept the risk through documented risk acceptance, implement compensating controls (e.g., network segmentation, host-based firewall rules, or application whitelisting), and create a migration or remediation plan to eventually retire or replace the system. This aligns with the NIST SP 800-53 risk management framework and ensures auditability and accountability for the unpatched vulnerability.

Exam trap

Cisco often tests the misconception that removing a system from reports or marking a vulnerability as fixed is an acceptable shortcut, when in reality the correct process requires formal risk acceptance with compensating controls and a documented plan.

How to eliminate wrong answers

Option A is wrong because granting all users local admin rights would increase the attack surface and privilege escalation risk, directly violating the principle of least privilege and making the system even more vulnerable. Option C is wrong because marking the vulnerability as fixed when it is not patched is a false positive suppression that misrepresents the security posture and can lead to compliance failures. Option D is wrong because removing the system from future reports hides the vulnerability from visibility, preventing proper tracking and risk management, which is contrary to vulnerability management best practices.

143
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Ignore all base-image vulnerabilities
B.Only rename the image tag
C.Validate exploitability and rebuild from a patched base image where feasible
D.Ship the image and document nothing
AnswerC

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option C is correct because the best next step is to validate whether the vulnerable OpenSSL binary is actually reachable or exploitable in the running container, and then rebuild from a patched base image if feasible. This balances security with business priorities by avoiding unnecessary rebuilds for non-exploitable vulnerabilities while ensuring that truly exploitable CVEs are remediated. Simply ignoring or renaming the tag does not address the underlying risk and violates secure CI/CD practices.

Exam trap

Cisco often tests the misconception that a vulnerability can be safely ignored if the application team claims the binary is unused, but the trap is that without validation (e.g., runtime reachability analysis), the claim may be false due to transitive dependencies or dynamic loading.

How to eliminate wrong answers

Option A is wrong because ignoring all base-image vulnerabilities would leave the organization exposed to known critical CVEs, violating vulnerability management policies and potentially leading to compliance failures. Option B is wrong because renaming the image tag does not remove or patch the vulnerable binary; it only obscures the issue, and the vulnerable layer remains in the image, which could still be exploited if the binary is reachable.

144
MCQeasy

An organization performs quarterly vulnerability scans of its internal network. The scans have a high number of false positives for out-of-date software that is actually up to date. Which of the following would BEST improve the accuracy of the scans?

A.Disable verbose output to reduce clutter.
B.Implement credential-based scanning.
C.Increase scan frequency to monthly.
D.Use a different vulnerability scanner.
AnswerB

Credentials allow the scanner to check actual patch levels, reducing false positives.

Why this answer

Credential-based scanning (authenticated scanning) allows the scanner to log into target systems with valid credentials, enabling it to query the local registry or package manager for the exact installed software versions. This eliminates reliance on banner grabbing or service fingerprinting, which often produce false positives when out-of-date software is detected based on network-level heuristics rather than actual installed patches.

Exam trap

The trap here is that candidates assume false positives are caused by scanner quality or frequency, rather than recognizing that unauthenticated scanning inherently lacks the visibility needed to confirm patch levels, making credential-based scanning the only direct solution.

How to eliminate wrong answers

Option A is wrong because disabling verbose output only reduces the amount of log data; it does not change the underlying detection method, so false positives from unauthenticated fingerprinting would persist. Option C is wrong because increasing scan frequency to monthly does not address the root cause of false positives; it merely repeats the same inaccurate detection more often, potentially increasing noise. Option D is wrong because simply using a different vulnerability scanner without enabling credential-based scanning would likely yield similar false positives, as most scanners rely on unauthenticated fingerprinting by default and require credentials to improve accuracy.

145
MCQeasy

A CI pipeline blocks a container image because the base layer contains a critical OpenSSL CVE. The application team says the vulnerable binary is not used. What is the BEST next step? For control selection, Which control best addresses the stated weakness without hiding risk?

A.Validate exploitability and rebuild from a patched base image where feasible
B.Only rename the image tag
C.Ship the image and document nothing
D.Ignore all base-image vulnerabilities
AnswerA

Container findings should consider reachability, but rebuilding from a patched base reduces inherited risk.

Why this answer

Option A is correct because it follows the principle of validating risk before acting. The pipeline blocks the image based on a static scan that flags a CVE, but the application team claims the vulnerable binary is not used. The best next step is to verify exploitability (e.g., by checking if the binary is actually invoked at runtime) and then rebuild from a patched base image if the vulnerability is real.

This approach ensures the weakness is addressed without hiding risk, as the rebuild removes the vulnerable component entirely.

Exam trap

Cisco often tests the misconception that a static scan finding must always be acted upon immediately, without validating exploitability or considering that a vulnerable binary may be unused in the container's runtime context.

How to eliminate wrong answers

Option B is wrong because renaming the image tag only obscures the vulnerability from scanning tools but does not remove the vulnerable binary; it hides risk rather than addressing it, violating the principle of transparency. Option C is wrong because shipping the image without documentation ignores the vulnerability entirely, which could lead to exploitation in a different runtime context or fail compliance audits; it is a security bypass that does not validate or mitigate the risk.

146
MCQhard

A large enterprise uses a vulnerability management platform that integrates with Active Directory and a configuration management database (CMDB). During a quarterly scan, a critical vulnerability (CVE-2021-44228) is detected on a legacy application server running an end-of-life (EOL) version of Java. The server supports a critical business process and cannot be upgraded or patched because the vendor no longer provides updates. The analyst must reduce the risk to an acceptable level. What is the best approach?

A.Remove the server from the network until it can be replaced
B.Apply a vendor-supplied hotfix to mitigate the vulnerability
C.Replace the server with a newer model that supports patching
D.Implement network segmentation and strict access controls to limit exposure
AnswerD

Segmentation and access controls reduce the likelihood and impact of exploitation, providing a compensating control when patching is infeasible.

Why this answer

Network segmentation combined with strict access controls limits the attack surface and potential impact, providing a practical risk reduction when patching is not possible. Removing the server would disrupt business, hotfixes are unavailable, and replacement is a long-term project.

147
MCQhard

A vulnerability report has 900 findings. One medium CVSS vulnerability is listed in CISA KEV and has high EPSS; several high CVSS issues are not exploitable in the environment. What should the analyst recommend? For business prioritization, Which recommendation gives the best risk-based order of work?

A.Always sort only by CVSS base score
B.Remediate alphabetically by CVE ID
C.Prioritize the KEV/high-EPSS issue after confirming asset exposure
D.Remediate only vulnerabilities with vendor logos in the report
AnswerC

Known exploitation and likelihood can outweigh base CVSS in risk-based prioritization.

Why this answer

Option C is correct because it combines threat intelligence (CISA KEV and high EPSS) with environmental context (asset exposure) to prioritize the vulnerability that is actively exploited and likely to be used in attacks, even though its CVSS base score is medium. This aligns with risk-based vulnerability management, which weights exploitability and business impact over raw severity scores.

Exam trap

Cisco often tests the misconception that CVSS base score alone determines priority, but the trap here is that candidates ignore the KEV/EPSS context and choose to remediate high-CVSS issues first, failing to apply risk-based prioritization that accounts for real-world exploitability.

How to eliminate wrong answers

Option A is wrong because sorting only by CVSS base score ignores exploitability context (e.g., KEV, EPSS) and environmental mitigations, leading to wasted effort on high-CVSS but non-exploitable issues. Option B is wrong because remediating alphabetically by CVE ID has no relation to risk, exploitability, or business impact, and is a purely arbitrary ordering. Option D is wrong because vendor logos do not indicate exploitability or risk; a vulnerability with a vendor logo may still be non-exploitable in the environment, while a KEV-listed vulnerability without a logo poses real threat.

148
Multi-Selecthard

A cloud security posture tool reports public access on object storage. Which follow-up checks matter? (Choose two.)

Select 2 answers
A.Whether the storage account name is short
B.Whether sensitive objects were accessed or downloaded
C.Whether the administrator uses dark mode
D.Whether public access is effectively allowed by bucket and account policies
AnswersB, D

Access evidence supports impact assessment.

Why this answer

Option B is correct because the primary concern with public access to object storage is data exposure. Checking whether sensitive objects were accessed or downloaded determines if a breach actually occurred, which is a critical follow-up step in vulnerability management. Without this check, you cannot assess the real-world impact of the misconfiguration.

Exam trap

The trap here is that candidates often focus on the misconfiguration itself (public access) rather than the necessary forensic step of verifying actual data exposure, leading them to pick irrelevant options like account name length or UI settings.

149
Multi-Selectmedium

Which three of the following are key considerations when implementing a vulnerability management lifecycle in an enterprise environment? (Choose three.)

Select 3 answers
.Establishing a remediation prioritization framework based on asset criticality and exploitability
.Scanning all assets with the highest possible scan intensity to ensure no vulnerability is missed
.Integrating threat intelligence feeds to contextualize vulnerabilities and focus on active threats
.Performing vulnerability scans only during off-peak hours to minimize network disruption
.Defining a formal remediation SLA that aligns with organizational risk tolerance
.Using default scan credentials from the vulnerability scanner vendor for consistency

Why this answer

Establishing a remediation prioritization framework based on asset criticality and exploitability is correct because it ensures that vulnerabilities posing the greatest risk to the business are addressed first. This aligns with risk-based vulnerability management, where not all vulnerabilities are equal; prioritizing by asset value and exploitability (e.g., CVSS exploitability metrics or active exploitation evidence) optimizes resource allocation and reduces overall risk exposure.

Exam trap

CompTIA often tests the distinction between operational best practices (like scanning intensity or timing) and strategic lifecycle components (like prioritization frameworks, threat intelligence integration, and SLA definitions), leading candidates to confuse tactical scanning habits with core lifecycle pillars.

← PreviousPage 2 of 2 · 149 questions total

Ready to test yourself?

Try a timed practice session using only Vulnerability Management questions.