- In the context of cybersecurity, which technique is used in an IDS to detect threats based on known attack patterns?
- Anomaly-based detection
- Signature-based detection
- Heuristic-based detection
- Behavioral-based detection
Correct answer: Signature-based detection
Correct answer: Signature-based detection. Explanation: Signature-based detection in an Intrusion Detection System (IDS) relies on known patterns of malicious activities, such as byte sequences in network traffic, or known malicious instruction sequences used by malware. It compares these signatures against observed events to identify potential threats.
- What is the primary purpose of a honeypot in network security?
- To encrypt data transmissions
- To serve as a decoy to attract potential attackers
- To filter malicious traffic
- To provide redundancy in case of network failure
Correct answer: To serve as a decoy to attract potential attackers
Correct answer: To serve as a decoy to attract potential attackers. Explanation: A honeypot in network security is primarily used as a decoy to attract potential attackers. By mimicking vulnerable systems, it diverts attacks from real targets and allows for the study of attack techniques and behaviors.
- In threat intelligence, what is the primary objective of indicator of compromise IoC analysis?
- Predicting future attacks
- Detecting active security breaches
- Assessing the impact of a breach
- Patching software vulnerabilities
Correct answer: Detecting active security breaches
Correct answer: Detecting active security breaches. Explanation: The primary objective of IoC analysis in threat intelligence is to detect active security breaches. IoCs are pieces of forensic data, such as system log entries or files, that identify potentially malicious activity on a system or network.
- Which type of attack involves overwhelming a target with traffic to make it inaccessible?
- Phishing attack
- SQL injection
- Distributed Denial-of-Service (DDoS)
- Cross-site scripting (XSS)
Correct answer: Distributed Denial-of-Service (DDoS)
Correct answer: Distributed Denial-of-Service (DDoS). Explanation: A Distributed Denial-of-Service (DDoS) attack involves overwhelming a target, such as a server or network, with a flood of Internet traffic. This attack aims to render the target inaccessible to legitimate users.
- What is the primary purpose of a Security Information and Event Management (SIEM) system?
- Preventing unauthorized access to network resources
- Providing real-time analysis of security alerts
- Encrypting data transmissions
- Scanning for malware on endpoints
Correct answer: Providing real-time analysis of security alerts
Correct answer: Providing real-time analysis of security alerts. Explanation: The primary purpose of a SIEM system is to provide real-time analysis of security alerts generated by applications and network hardware. It aggregates and analyzes data from various sources to identify anomalies that might indicate a security threat.
- Which cybersecurity framework focuses on improving the cyber resilience of critical infrastructure?
- ISO 27001
- NIST Cybersecurity Framework
- COBIT
- OWASP
Correct answer: NIST Cybersecurity Framework
Correct answer: NIST Cybersecurity Framework. Explanation: The NIST Cybersecurity Framework is specifically designed to improve the cyber resilience of critical infrastructure. It provides guidelines and best practices to help organizations manage and reduce cybersecurity risk.
- In cybersecurity, what is the main purpose of threat hunting?
- Responding to detected security incidents
- Proactively searching for undetected threats within a network
- Patching vulnerabilities in software
- Encrypting sensitive data
Correct answer: Proactively searching for undetected threats within a network
Correct answer: Proactively searching for undetected threats within a network. Explanation: Threat hunting involves proactively searching for cyber threats that are lurking undetected in a network. Unlike traditional threat management strategies, it assumes that the organization has already been compromised and seeks to identify and mitigate these threats.
- Which attack method involves injecting malicious scripts into web pages viewed by users?
- Man-in-the-middle attack
- Cross-site scripting (XSS)
- SQL injection
- Ransomware
Correct answer: Cross-site scripting (XSS)
Correct answer: Cross-site scripting (XSS). Explanation: Cross-site scripting (XSS) attacks involve injecting malicious scripts into web pages that are viewed by users. The attacker uses web applications to send malicious code, typically in the form of a browser-side script, to a different end user.
- What is the primary function of file integrity monitoring (FIM) in cybersecurity?
- Detecting unauthorized changes to files
- Scanning files for malware
- Backing up important files
- Encrypting file contents
Correct answer: Detecting unauthorized changes to files
Correct answer: Detecting unauthorized changes to files. Explanation: File integrity monitoring (FIM) is primarily used to detect unauthorized changes to critical files. It's a key security control that helps in identifying changes that may indicate a cybersecurity threat, such as tampering or malware infection.
- In the context of cybersecurity, what is 'credential stuffing'?
- The process of encrypting user credentials
- A type of phishing attack to gain user credentials
- The automated injection of breached username/password pairs to gain unauthorized access
- Storing user credentials in a secure database
Correct answer: The automated injection of breached username/password pairs to gain unauthorized access
Correct answer: The automated injection of breached username/password pairs to gain unauthorized access. Explanation: Credential stuffing is a cyber attack method where attackers use automated tools to inject stolen username/password pairs in order to gain unauthorized access to user accounts. This attack relies on the fact that many users reuse the same credentials across multiple services.
- What technique is commonly used in cyber threat intelligence for correlating large sets of data to identify potential threats?
- Data encryption
- Data mining
- Firewall filtering
- Antivirus scanning
Correct answer: Data mining
Correct answer: Data mining. Explanation: Data mining is a technique used in cyber threat intelligence to correlate large sets of data. It involves analyzing large volumes of data to discover patterns and relationships that can help in identifying potential cyber threats.
- In cybersecurity, what is the main purpose of using a sandbox environment?
- To encrypt sensitive data
- To test security controls
- To isolate and analyze suspicious code
- To backup critical systems
Correct answer: To isolate and analyze suspicious code
Correct answer: To isolate and analyze suspicious code. Explanation: A sandbox environment in cybersecurity is used to isolate and analyze suspicious code without risking the main network or systems. It's a safe environment where potentially dangerous programs can be executed and their behavior observed.
- Which method is most effective for detecting zero-day exploits?
- Signature-based detection
- Anomaly-based detection
- Firewalls
- Antivirus software
Correct answer: Anomaly-based detection
Correct answer: Anomaly-based detection. Explanation: Anomaly-based detection is effective for detecting zero-day exploits because it identifies unusual behaviors or patterns in systems and networks, which are indicative of new, previously unknown threats.
- What is the primary goal of a DDoS (Distributed Denial of Service) attack?
- To steal sensitive information
- To disrupt the availability of a service or resource
- To encrypt data for ransom
- To gain unauthorized access to systems
Correct answer: To disrupt the availability of a service or resource
Correct answer: To disrupt the availability of a service or resource. Explanation: The primary goal of a DDoS attack is to disrupt the availability of a service or resource by overwhelming it with a flood of internet traffic. This type of attack is aimed at making the targeted service or resource inaccessible to its intended users.
- In threat management, what is the primary function of a SIEM (Security Information and Event Management) system?
- Blocking malware
- Real-time analysis and reporting of security events
- Filtering network traffic
- Encrypting data transmissions
Correct answer: Real-time analysis and reporting of security events
Correct answer: Real-time analysis and reporting of security events. Explanation: The primary function of a SIEM system in threat management is to provide real-time analysis and reporting of security events. It aggregates data from multiple sources, providing insights into potential security incidents.
- Which type of cyber attack involves manipulating a user into disclosing confidential information or performing actions?
- Phishing
- SQL injection
- Rootkit installation
- Man-in-the-middle attack
Correct answer: Phishing
Correct answer: Phishing. Explanation: Phishing is a type of cyber attack that involves tricking or manipulating a user into disclosing confidential information or performing certain actions. It often involves sending deceptive messages that appear to be from trusted sources.
- What is the primary focus of behavioral analytics in cybersecurity?
- Monitoring user behaviors to detect anomalies
- Encrypting user data
- Optimizing network performance
- Firewall management
Correct answer: Monitoring user behaviors to detect anomalies
Correct answer: Monitoring user behaviors to detect anomalies. Explanation: Behavioral analytics in cybersecurity focuses on monitoring user behaviors to detect anomalies that could indicate a security threat. It analyzes patterns and trends in user activity to identify actions that deviate from the norm.
- Which cybersecurity tool is primarily used for deep packet inspection of network traffic?
- Intrusion Detection System (IDS)
- Virtual Private Network (VPN)
- Network firewall
- Proxy server
Correct answer: Intrusion Detection System (IDS)
Correct answer: Intrusion Detection System (IDS). Explanation: An Intrusion Detection System (IDS) is used for deep packet inspection of network traffic. It examines the contents of packets to detect malicious activity or policy violations.
- In the context of threat intelligence, what is the main purpose of STIX (Structured Threat Information eXpression)?
- To encrypt communication between devices
- To standardize the exchange of cyber threat information
- To monitor network traffic
- To scan for vulnerabilities in software
Correct answer: To standardize the exchange of cyber threat information
Correct answer: To standardize the exchange of cyber threat information. Explanation: STIX is a language and serialization format used to exchange cyber threat intelligence. It enables organizations to share information about threats in a consistent and machine-readable format.
- What is the role of a threat actor in the context of cybersecurity?
- A user within an organization who manages security systems
- A software tool used to detect vulnerabilities
- An individual or group responsible for a cyber attack
- A protocol for secure data transmission
Correct answer: An individual or group responsible for a cyber attack
Correct answer: An individual or group responsible for a cyber attack. Explanation: In cybersecurity, a threat actor is an individual or group that is responsible for initiating a cyber attack. They can range from solo hackers to organized crime groups or state-sponsored entities.
- Which of the following is a primary characteristic of Advanced Persistent Threats (APTs)?
- High-profile and publicly announced attacks
- Short duration and immediate damage
- Long-term presence and stealth
- Random and automated attacks
Correct answer: Long-term presence and stealth
Correct answer: Long-term presence and stealth. Explanation: Advanced Persistent Threats (APTs) are characterized by their long-term presence and stealthy behavior. They aim to remain undetected within a network for extended periods to continuously gather sensitive information.
- In cybersecurity, what does the term 'chain of custody' refer to?
- The hierarchy of command within a security team
- The process of encrypting data to ensure its integrity
- The documentation that tracks evidence from collection to presentation
- The sequence of security measures applied to protected data
Correct answer: The documentation that tracks evidence from collection to presentation
Correct answer: The documentation that tracks evidence from collection to presentation. Explanation: The chain of custody in cybersecurity refers to the documentation that records the handling of evidence from the time it's collected until it's presented in court. This process ensures the integrity and authenticity of the evidence.
- What is the primary purpose of a vulnerability scanner in cybersecurity?
- Detecting unauthorized network access
- Identifying weaknesses in systems and networks
- Monitoring real-time network traffic
- Encrypting sensitive data
Correct answer: Identifying weaknesses in systems and networks
Correct answer: Identifying weaknesses in systems and networks. Explanation: The primary purpose of a vulnerability scanner in cybersecurity is to identify weaknesses in systems and networks. It scans for known vulnerabilities and generates reports on security loopholes that need to be addressed.
- Which attack involves intercepting and altering communications between two parties without their knowledge?
- Denial-of-Service attack
- Phishing attack
- Man-in-the-middle attack
- SQL injection attack
Correct answer: Man-in-the-middle attack
Correct answer: Man-in-the-middle attack. Explanation: A man-in-the-middle attack involves an attacker secretly intercepting and possibly altering the communication between two parties who believe they are directly communicating with each other. This attack can occur in both digital and physical communications.
- In threat management, what is the function of a 'sinkhole' in terms of network security?
- To serve as a decoy system for attackers
- To redirect malicious traffic away from the network
- To encrypt data transmissions
- To monitor and log user activities
Correct answer: To redirect malicious traffic away from the network
Correct answer: To redirect malicious traffic away from the network. Explanation: In network security, a 'sinkhole' is used to redirect malicious traffic away from the network. By rerouting this traffic to a controlled destination, it can be analyzed, and the network is protected from potential harm.
- Which cybersecurity principle involves the use of multiple layers of security controls and defenses?
- Defense in depth
- Least privilege
- Risk management
- Single point of failure
Correct answer: Defense in depth
Correct answer: Defense in depth. Explanation: Defense in depth is a cybersecurity principle that involves implementing multiple layers of security controls and defenses throughout an IT system. It is designed to provide redundancy in the event that a security control fails or a vulnerability is exploited.
- In cybersecurity, what is the primary purpose of conducting a vulnerability scan?
- To detect active network intrusions
- To identify weaknesses in systems and applications
- To monitor network traffic for malicious activity
- To recover data after a security breach
Correct answer: To identify weaknesses in systems and applications
Correct answer: To identify weaknesses in systems and applications. Explanation: The primary purpose of conducting a vulnerability scan is to identify vulnerabilities or weaknesses in systems and applications. This proactive measure helps organizations understand their exposure to potential cyber threats and take necessary steps to mitigate risks.
- Which technique is used in cybersecurity to disguise and hide data in plain sight, typically within another file or data stream?
- Encryption
- Tokenization
- Steganography
- Obfuscation
Correct answer: Steganography
Correct answer: Steganography. Explanation: Steganography is a cybersecurity technique used to hide data within another file or data stream. Unlike encryption, which protects the contents of a message, steganography hides the existence of the message itself.
- What is the main function of a Security Operations Center (SOC.) in an organization?
- Developing and implementing security policies
- Providing customer support for technical issues
- Continuously monitoring and analyzing an organization's security posture
- Training employees on cybersecurity awareness
Correct answer: Continuously monitoring and analyzing an organization's security posture
Correct answer: Continuously monitoring and analyzing an organization's security posture. Explanation: The main function of a Security Operations Center (SOC.) is to continuously monitor and analyze an organization's security posture. The SOC team is responsible for detecting, analyzing, and responding to cybersecurity incidents using a combination of technology solutions and a strong set of processes.
- Which of the following vulnerability scanning techniques is LEAST likely to be detected by intrusion detection systems?
- Credentialed Scanning
- Non-credentialed Scanning
- Passive Scanning
- Active Scanning
Correct answer: Passive Scanning
Correct answer: Passive Scanning. Explanation: Passive scanning is least likely to be detected by intrusion detection systems as it does not send active probes or requests to the target systems. Instead, it monitors network traffic to infer vulnerabilities, making it less detectable.
- In vulnerability management, what is the main purpose of a "false negative" result?
- Indicating that a system is secure when it is not
- Correctly identifying the absence of vulnerabilities
- Incorrectly signaling the presence of a vulnerability
- Identifying vulnerabilities that do not pose a risk
Correct answer: Indicating that a system is secure when it is not
Correct answer: Indicating that a system is secure when it is not. Explanation: A false negative in vulnerability management occurs when a test incorrectly indicates that a system is secure, overlooking actual vulnerabilities. This can lead to a false sense of security and unaddressed risks.
- Which of the following best describes the role of fuzzing in vulnerability management?
- Validating network segmentation
- Generating random data to test for software crashes
- Ensuring compliance with security policies
- Scanning for unpatched software
Correct answer: Generating random data to test for software crashes
Correct answer: Generating random data to test for software crashes. Explanation: Fuzzing in vulnerability management involves generating random data inputs to software applications to test for crashes, memory leaks, or other potential vulnerabilities. It is used to identify weaknesses that might not be detected through conventional testing methods.
- In the context of vulnerability scanning, what does the term "pivot" refer to?
- The ability to change scanning tactics based on results
- Using a compromised system to launch further attacks
- Shifting from passive to active scanning techniques
- Moving from network-level to application-level scanning
Correct answer: Using a compromised system to launch further attacks
Correct answer: Using a compromised system to launch further attacks. Explanation: In vulnerability scanning, "pivot" refers to the technique of using a compromised system as a launch point to exploit vulnerabilities in other systems. This is a critical concept in understanding how attackers can move laterally through a network.
- What is a primary concern when conducting authenticated vulnerability scans?
- Network bandwidth consumption
- Unauthorized data access
- Scan-induced system crashes
- Credential theft
Correct answer: Scan-induced system crashes
Correct answer: Scan-induced system crashes. Explanation: A primary concern with authenticated vulnerability scans is the potential for scan-induced system crashes. These scans can be more invasive and interact deeply with the system, possibly leading to instability or crashes.
- Which term best describes a situation where a vulnerability scanner incorrectly identifies a secure system as vulnerable?
- True Positive
- False Negative
- False Positive
- True Negative
Correct answer: False Positive
Correct answer: False Positive. Explanation: A false positive in vulnerability scanning occurs when the scanner incorrectly identifies a secure system as being vulnerable. This can lead to unnecessary resource allocation for addressing non-existent issues.
- In vulnerability management, what is the significance of CVSS scoring?
- Determining the complexity of exploiting a vulnerability
- Prioritizing vulnerability remediation efforts
- Calculating the financial impact of a potential breach
- Assessing the effectiveness of deployed security controls
Correct answer: Prioritizing vulnerability remediation efforts
Correct answer: Prioritizing vulnerability remediation efforts. Explanation: The Common Vulnerability Scoring System (CVSS) provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity. This score is used to prioritize vulnerability remediation efforts based on the risk they pose.
- Which vulnerability assessment technique involves examining the system from within to simulate an attack by a malicious insider?
- Black box testing
- White box testing
- Gray box testing
- Red teaming
Correct answer: White box testing
Correct answer: White box testing. Explanation: White box testing in vulnerability assessment involves examining the system from within, with knowledge of the system, to simulate an attack by a malicious insider. This approach offers comprehensive insights into internal threats and weaknesses.
- When a vulnerability scanner reports a vulnerability due to outdated software, but the software is actually up to date, this is an example of:
- True Positive
- False Negative
- False Positive
- True Negative
Correct answer: False Positive
Correct answer: False Positive. Explanation: This scenario is an example of a false positive, where the vulnerability scanner incorrectly reports a vulnerability (outdated software) when, in reality, the software is up to date. False positives can lead to wasted efforts in addressing non-existent issues.
- What is the primary benefit of using automated vulnerability scanning tools in an organization?
- Eliminating the need for security policies
- Completely securing the network
- Reducing the time and resources needed for scans
- Guaranteeing compliance with all regulations
Correct answer: Reducing the time and resources needed for scans
Correct answer: Reducing the time and resources needed for scans. Explanation: The primary benefit of using automated vulnerability scanning tools is the reduction in time and resources needed to conduct comprehensive vulnerability scans. These tools can quickly and efficiently scan systems for known vulnerabilities, aiding in timely identification and remediation.
- Which of the following best describes the purpose of a penetration test in the context of vulnerability management?
- Assessing the physical security of data centers
- Evaluating the effectiveness of security policies
- Simulating an attack to identify exploitable vulnerabilities
- Monitoring network traffic for malicious activities
Correct answer: Simulating an attack to identify exploitable vulnerabilities
Correct answer: Simulating an attack to identify exploitable vulnerabilities. Explanation: Penetration testing in vulnerability management involves simulating an attack on a system, network, or application to identify exploitable vulnerabilities. This proactive approach helps in understanding potential security weaknesses from an attacker's perspective.
- In vulnerability management, what is the primary role of a patch management system?
- Detecting intrusions in real-time
- Automating the deployment of software updates
- Filtering spam from email
- Encrypting sensitive data
Correct answer: Automating the deployment of software updates
Correct answer: Automating the deployment of software updates. Explanation: The primary role of a patch management system in vulnerability management is to automate the deployment of software updates and patches. This ensures that systems and applications are up-to-date with the latest security fixes, reducing the risk of exploitation.
- Which vulnerability assessment methodology focuses on the security of third-party components within a system?
- Static application security testing (SAST)
- Dynamic application security testing (DAST)
- Software composition analysis (SCA)
- Network enumeration
Correct answer: Software composition analysis (SCA)
Correct answer: Software composition analysis (SCA). Explanation: Software composition analysis (SCA) focuses on identifying and assessing the security of third-party components and libraries within a system. It helps in understanding vulnerabilities associated with these external dependencies.
- In the context of vulnerability management, what is the main objective of threat modeling?
- Developing strategies to mitigate detected vulnerabilities
- Identifying potential threats and modeling their possible impacts
- Encrypting data to protect against breaches
- Monitoring for active attacks in real-time
Correct answer: Identifying potential threats and modeling their possible impacts
Correct answer: Identifying potential threats and modeling their possible impacts. Explanation: The main objective of threat modeling in vulnerability management is to identify potential threats and model their possible impacts on the system. This proactive approach helps in understanding and preparing for various attack vectors.
- Which of the following best defines a zero-day vulnerability?
- A vulnerability that has been known for less than a day
- A vulnerability for which there is no available patch
- A vulnerability discovered during the first day of a product's release
- A vulnerability affecting all versions of a software
Correct answer: A vulnerability for which there is no available patch
Correct answer: A vulnerability for which there is no available patch. Explanation: A zero-day vulnerability refers to a security flaw that is unknown to the software vendor or for which a patch or solution is not yet available. These vulnerabilities are particularly dangerous because they can be exploited before a fix is developed.
- What is the primary benefit of continuous vulnerability scanning as compared to periodic scanning?
- Eliminates the need for manual intervention
- Detects vulnerabilities in real-time
- Reduces the workload on IT staff
- Ensures 100% removal of all vulnerabilities
Correct answer: Detects vulnerabilities in real-time
Correct answer: Detects vulnerabilities in real-time. Explanation: Continuous vulnerability scanning offers the primary benefit of detecting vulnerabilities in real-time, as opposed to periodic scanning which may miss new vulnerabilities that appear between scans. This continuous approach helps in maintaining a more secure and up-to-date security posture.
- In vulnerability management, what is the primary purpose of a baseline configuration?
- To provide a standard for secure system settings
- To serve as a backup for system recovery
- To monitor network traffic for anomalies
- To encrypt data transmissions
Correct answer: To provide a standard for secure system settings
Correct answer: To provide a standard for secure system settings. Explanation: The primary purpose of a baseline configuration in vulnerability management is to provide a standard for secure system settings. Baselines help in ensuring that systems are configured with an optimal security posture and are used as a reference for future audits and comparisons.
- Which technology is primarily used to isolate applications in their own secure environment to prevent vulnerabilities from affecting other applications?
- Virtual private networks (VPNs)
- Firewalls
- Antivirus software
- Application containers
Correct answer: Application containers
Correct answer: Application containers. Explanation: Application containers are used to isolate applications in their own secure environments. This isolation prevents vulnerabilities in one application from affecting others, enhancing overall system security.
- What is the role of a vulnerability feed in a vulnerability management program?
- Providing real-time alerts on active network attacks
- Supplying updated information on new and existing vulnerabilities
- Distributing patches for software vulnerabilities
- Monitoring user activities for suspicious behavior
Correct answer: Supplying updated information on new and existing vulnerabilities
Correct answer: Supplying updated information on new and existing vulnerabilities. Explanation: A vulnerability feed plays a critical role in a vulnerability management program by supplying updated information on new and existing vulnerabilities. This information helps organizations stay informed about emerging threats and how to address them.
- What is a primary consideration when performing vulnerability scans on production systems?
- Ensuring regulatory compliance
- Avoiding performance degradation during business hours
- Encrypting all data in transit
- Monitoring all user access to the system
Correct answer: Avoiding performance degradation during business hours
Correct answer: Avoiding performance degradation during business hours. Explanation: When performing vulnerability scans on production systems, a primary consideration is to avoid performance degradation, especially during business hours. Scans can be resource-intensive and may impact system performance, so scheduling them appropriately is crucial.
- What is the primary goal of implementing a Security Information and Event Management (SIEM) system in the context of vulnerability management?
- To automate the patching process
- To provide real-time analysis of security alerts
- To serve as a primary firewall
- To encrypt sensitive data
Correct answer: To provide real-time analysis of security alerts
Correct answer: To provide real-time analysis of security alerts. Explanation: The primary goal of a Security Information and Event Management (SIEM) system in vulnerability management is to provide real-time analysis of security alerts generated by network hardware and applications. SIEM is crucial for early detection of potential vulnerabilities and threats.
- In vulnerability management, what is the purpose of implementing a honeypot?
- To serve as a primary method of data encryption
- To attract attackers for the purpose of monitoring and analysis
- To provide a backup for critical data
- To filter spam and phishing emails
Correct answer: To attract attackers for the purpose of monitoring and analysis
Correct answer: To attract attackers for the purpose of monitoring and analysis. Explanation: A honeypot in vulnerability management is a decoy system designed to attract attackers. Its purpose is to divert attacks from real targets and allow the security team to monitor and analyze attack techniques.
- Which aspect of vulnerability management is specifically concerned with identifying weak points in wireless networks?
- Network sniffing
- War driving
- Penetration testing
- Phishing simulation
Correct answer: War driving
Correct answer: War driving. Explanation: War driving refers to the act of searching for wireless networks by a person in a moving vehicle, using a portable computer or smartphone. It is specifically concerned with identifying weak points in wireless networks, such as unsecured access points.
- What is the primary function of a Web Application Firewall (WAF) in the context of vulnerability management?
- Monitoring outbound traffic for data exfiltration
- Encrypting data stored in databases
- Protecting web applications by filtering and monitoring HTTP traffic
- Providing VPN services for remote workers
Correct answer: Protecting web applications by filtering and monitoring HTTP traffic
Correct answer: Protecting web applications by filtering and monitoring HTTP traffic. Explanation: In vulnerability management, the primary function of a Web Application Firewall (WAF) is to protect web applications by filtering and monitoring HTTP traffic. WAFs are used to prevent attacks such as SQL injection, cross-site scripting (XSS), and others that target web applications.
- When conducting a vulnerability scan, what does "credential scanning" imply?
- Scanning without any access to internal resources
- Using stolen credentials to perform the scan
- Scanning with authorized credentials to access and assess internal resources
- Checking for weak or default passwords
Correct answer: Scanning with authorized credentials to access and assess internal resources
Correct answer: Scanning with authorized credentials to access and assess internal resources. Explanation: Credential scanning in vulnerability management implies using authorized credentials to perform the scan. This allows the scanner to access and assess internal resources more thoroughly, identifying vulnerabilities that might not be visible with non-credentialed scanning.
- Which strategy in vulnerability management focuses on prioritizing the remediation of vulnerabilities based on the potential impact to the organization?
- Baseline reporting
- Threat hunting
- Risk-based vulnerability management
- Compliance scanning
Correct answer: Risk-based vulnerability management
Correct answer: Risk-based vulnerability management. Explanation: Risk-based vulnerability management is a strategy that involves prioritizing the remediation of vulnerabilities based on their potential impact on the organization. This approach ensures that resources are allocated to address the most critical vulnerabilities first.
- What is the main purpose of a "black box" testing approach in vulnerability assessment?
- Testing with knowledge of the network infrastructure
- Testing without any prior knowledge of the system
- Conducting internal testing with administrative privileges
- Focusing solely on physical security measures
Correct answer: Testing without any prior knowledge of the system
Correct answer: Testing without any prior knowledge of the system. Explanation: "Black box" testing in vulnerability assessment is performed without any prior knowledge of the system's network infrastructure or software. This approach simulates an external attack, revealing vulnerabilities that are visible to an outsider without internal information.
- In vulnerability management, what is the significance of a vulnerability's "attack vector"?
- The specific method or path used by an attacker to exploit the vulnerability
- The software or tool used to detect the vulnerability
- The code written to patch the vulnerability
- The network location where the vulnerability is found
Correct answer: The specific method or path used by an attacker to exploit the vulnerability
Correct answer: The specific method or path used by an attacker to exploit the vulnerability. Explanation: The "attack vector" of a vulnerability refers to the specific method or path an attacker uses to exploit it. Understanding the attack vector is crucial for vulnerability management, as it helps in determining how a vulnerability can be exploited and what measures can be taken to mitigate it.
- Which of the following best describes the role of "red teaming" in vulnerability management?
- Implementing defensive security measures
- Conducting aggressive network defense
- Simulating attacks to test the effectiveness of security measures
- Managing network traffic to prevent intrusions
Correct answer: Simulating attacks to test the effectiveness of security measures
Correct answer: Simulating attacks to test the effectiveness of security measures. Explanation: "Red teaming" in vulnerability management involves simulating attacks on an organization's network and systems to test the effectiveness of security measures. This approach helps in identifying vulnerabilities and assessing the readiness of the organization to defend against real attacks.
- What is the primary purpose of "chain of custody" documentation in the context of vulnerability management?
- To track the movement and handling of physical security devices
- To record the response times of the security team
- To maintain a log of all security policy changes
- To ensure the integrity of evidence for legal proceedings
Correct answer: To ensure the integrity of evidence for legal proceedings
Correct answer: To ensure the integrity of evidence for legal proceedings. Explanation: In vulnerability management, the "chain of custody" documentation is crucial for ensuring the integrity of evidence in the event of legal proceedings. It records the movement and handling of evidence, maintaining its credibility and admissibility in court.
- During a cyber incident response, which type of analysis focuses on identifying the tactics, techniques, and procedures (TTPs) of attackers?
- Forensic analysis
- Log analysis
- Threat intelligence analysis
- Vulnerability analysis
Correct answer: Threat intelligence analysis
Correct answer: Threat intelligence analysis. Explanation: Threat intelligence analysis is focused on understanding the tactics, techniques, and procedures (TTPs) of attackers. It involves gathering and analyzing information about current or potential attacks that could threaten the security of an organization.
- In the context of incident response, what is the primary purpose of a 'kill chain' model?
- To outline the structure of the incident response team
- To identify potential vulnerabilities in the system
- To describe the stages of a cyber attack
- To prioritize incident response activities
Correct answer: To describe the stages of a cyber attack
Correct answer: To describe the stages of a cyber attack. Explanation: The 'kill chain' model is used in cyber security to describe the stages of a cyber attack. It helps in understanding each step of an attack, from reconnaissance to actions on objectives, thereby aiding in the development of effective defense strategies.
- Which of the following is a key activity in the Preparation phase of the Incident Response Lifecycle?
- Conducting a root cause analysis
- Establishing communication plans
- Performing data exfiltration analysis
- Implementing containment measures
Correct answer: Establishing communication plans
Correct answer: Establishing communication plans. Explanation: In the Preparation phase of the Incident Response Lifecycle, establishing communication plans is a key activity. Effective communication strategies are essential for coordinating response efforts and disseminating information during an incident.
- What is the main objective of triage in cybersecurity incident response?
- To restore systems to their original state
- To classify and prioritize incidents
- To identify the perpetrator of the incident
- To analyze the impact on business operations
Correct answer: To classify and prioritize incidents
Correct answer: To classify and prioritize incidents. Explanation: The main objective of triage in cybersecurity incident response is to classify and prioritize incidents based on their severity, impact, and urgency. This process ensures that resources are allocated effectively to address the most critical incidents first.
- In incident response, what is the significance of the term 'Indicators of Compromise' (IoCs)?
- Measures taken to prevent future incidents
- Evidence of successful security policies
- Artifacts or actions indicating a potential security breach
- Benchmarks for incident response time
Correct answer: Artifacts or actions indicating a potential security breach
Correct answer: Artifacts or actions indicating a potential security breach. Explanation: Indicators of Compromise (IoCs) are artifacts or actions that strongly suggest a network or system has been breached. Identifying IoCs is crucial in the early stages of incident detection and response.
- Which tool is most commonly used in the containment phase of a cybersecurity incident response to isolate affected systems?
- Intrusion Detection System (IDS)
- Data Loss Prevention (DLP) tools
- Firewall
- Antivirus software
Correct answer: Firewall
Correct answer: Firewall. Explanation: During the containment phase of a cybersecurity incident, firewalls are commonly used to isolate affected systems. They can restrict network traffic to and from the compromised systems, preventing the spread of the incident.
- What is the primary goal of 'chain of custody' in the context of cyber incident response?
- To ensure that incident response actions are transparent
- To maintain and document the integrity of physical and digital evidence
- To establish a timeline of the incident response activities
- To delegate responsibilities among the incident response team
Correct answer: To maintain and document the integrity of physical and digital evidence
Correct answer: To maintain and document the integrity of physical and digital evidence. Explanation: The primary goal of maintaining a 'chain of custody' in cyber incident response is to ensure that the integrity of physical and digital evidence is preserved and documented. This is crucial for legal and investigative purposes.
- In cyber incident response, what is the primary purpose of performing a root cause analysis?
- To assess the financial impact of the incident
- To identify the underlying cause of the incident
- To document the response process for future reference
- To determine the effectiveness of the response team
Correct answer: To identify the underlying cause of the incident
Correct answer: To identify the underlying cause of the incident. Explanation: The primary purpose of performing a root cause analysis in cyber incident response is to identify the underlying cause of the security incident. Understanding the root cause is essential for implementing effective remediation strategies and preventing future occurrences.
- Which phase of the Incident Response Lifecycle involves analyzing the incident to improve future response and prevention measures?
- Preparation
- Detection and Analysis
- Containment, Eradication, and Recovery
- Post-Incident Activity
Correct answer: Post-Incident Activity
Correct answer: Post-Incident Activity. Explanation: The Post-Incident Activity phase of the Incident Response Lifecycle involves analyzing the incident, documenting lessons learned, and implementing improvements to future response and prevention measures.
- In the context of cyber incident response, what is the purpose of using sandboxes?
- To isolate and analyze suspicious files or software
- To restore systems to their operational state
- To conduct penetration testing on network defenses
- To encrypt sensitive data during a breach
Correct answer: To isolate and analyze suspicious files or software
Correct answer: To isolate and analyze suspicious files or software. Explanation: In cyber incident response, sandboxes are used to isolate and analyze suspicious files or software in a controlled environment. This allows for safe examination and understanding of the behavior of potential malware without risking the broader network.
- What role does 'attribution' play in cyber incident response?
- Identifying the source or actor responsible for the incident
- Estimating the financial impact of the incident
- Restoring affected systems to operational status
- Implementing new security measures to prevent future incidents
Correct answer: Identifying the source or actor responsible for the incident
Correct answer: Identifying the source or actor responsible for the incident. Explanation: Attribution in cyber incident response involves identifying the source or actor responsible for the incident. It is critical for understanding the nature of the attack and for legal or retaliatory actions.
- During an incident response, what is the significance of 'time stamps' in log files?
- They indicate the severity of the incident
- They provide a chronological order of events
- They determine the effectiveness of the response
- They estimate the cost of the incident
Correct answer: They provide a chronological order of events
Correct answer: They provide a chronological order of events. Explanation: Time stamps in log files are crucial during an incident response as they provide a chronological order of events. This helps in reconstructing the timeline of the incident, which is essential for understanding the sequence of actions and the impact.
- In the context of cybersecurity incident response, what is a 'honeypot' primarily used for?
- Detecting intrusions by mimicking vulnerable systems
- Storing backups of critical data
- Filtering spam and malicious email content
- Encrypting data to prevent unauthorized access
Correct answer: Detecting intrusions by mimicking vulnerable systems
Correct answer: Detecting intrusions by mimicking vulnerable systems. Explanation: A honeypot in cybersecurity is a decoy system designed to mimic vulnerable systems to detect intrusions. It is used to lure attackers and study their behavior without risking the actual network.
- What is the purpose of 'data exfiltration analysis' in cyber incident response?
- To identify data stolen during an incident
- To measure the amount of data processed by the incident response team
- To analyze the data backup efficiency
- To evaluate the performance of the data recovery process
Correct answer: To identify data stolen during an incident
Correct answer: To identify data stolen during an incident. Explanation: Data exfiltration analysis in cyber incident response aims to identify what data was stolen or leaked during an incident. This analysis is crucial for assessing the impact of the breach and for informing stakeholders about the extent of data compromise.
- In incident response, what is the main goal of 'eradication'?
- To remove the components of the incident from the affected systems
- To restore services to their pre-incident state
- To analyze the cause of the incident
- To document the incident for future reference
Correct answer: To remove the components of the incident from the affected systems
Correct answer: To remove the components of the incident from the affected systems. Explanation: The goal of 'eradication' in incident response is to remove the components of the incident, such as malware or unauthorized access, from the affected systems. It is a crucial step to ensure that the threat is completely eliminated.
- Which activity in cyber incident response involves determining the scope and impact of the incident?
- Preparation
- Identification
- Containment
- Recovery
Correct answer: Identification
Correct answer: Identification. Explanation: The Identification activity in cyber incident response involves determining the scope and impact of the incident. This step is essential for understanding the extent of the incident and planning an effective response strategy.
- In cyber incident response, what is the purpose of using 'SIEM' (Security Information and Event Management) tools?
- To encrypt sensitive data
- To manage firewall rules
- To collect, analyze, and report on security data
- To conduct penetration tests
Correct answer: To collect, analyze, and report on security data
Correct answer: To collect, analyze, and report on security data. Explanation: SIEM tools in cyber incident response are used to collect, analyze, and report on security data from various sources. They provide real-time analysis of security alerts and are instrumental in detecting, analyzing, and responding to security incidents.
- What is a primary consideration when choosing a communication method during a cyber incident response?
- The cost of the communication method
- The speed of message delivery
- The security and confidentiality of the communication
- The ease of access to communication tools
Correct answer: The security and confidentiality of the communication
Correct answer: The security and confidentiality of the communication. Explanation: During a cyber incident response, the security and confidentiality of the communication method are of primary importance. Sensitive information about the incident must be protected from unauthorized access or interception.
- In the context of cyber incident response, what is the role of 'digital forensics'?
- To repair damaged systems and restore data
- To analyze digital evidence and investigate the incident
- To implement new security controls
- To conduct risk assessments
Correct answer: To analyze digital evidence and investigate the incident
Correct answer: To analyze digital evidence and investigate the incident. Explanation: Digital forensics in cyber incident response involves the analysis of digital evidence to investigate the incident. It is crucial for uncovering how the breach occurred, who was responsible, and what data was affected.
- Which phase in the incident response process involves taking actions to minimize the impact of the incident?
- Detection
- Containment
- Analysis
- Post-Incident Activity
Correct answer: Containment
Correct answer: Containment. Explanation: The Containment phase in the incident response process involves taking immediate actions to minimize the impact of the incident. This includes isolating affected systems to prevent the spread of the incident and mitigate its effects.
- Which type of report in cybersecurity incident response typically includes detailed technical information about the incident and its remediation?
- Executive summary
- Lessons learned report
- Technical incident report
- Initial incident notification
Correct answer: Technical incident report
Correct answer: Technical incident report. Explanation: The technical incident report in cybersecurity incident response includes detailed technical information about the incident, analysis of the incident, the steps taken to remediate, and recommendations for preventing similar incidents in the future.
- In incident response, what is the primary purpose of 'war gaming' exercises?
- To test the physical security of data centers
- To practice and improve incident response capabilities
- To perform vulnerability scans on the network
- To assess the financial impact of potential incidents
Correct answer: To practice and improve incident response capabilities
Correct answer: To practice and improve incident response capabilities. Explanation: 'War gaming' exercises in incident response are simulations or practice scenarios designed to test and improve the organization's incident response capabilities. They help identify gaps in response plans and prepare teams for real-world incidents.
- What is the primary goal of 'containment strategies' in the incident response process?
- To eradicate the cause of the incident
- To prevent the spread of the incident
- To recover lost or stolen data
- To prosecute the attackers
Correct answer: To prevent the spread of the incident
Correct answer: To prevent the spread of the incident. Explanation: The primary goal of containment strategies in the incident response process is to prevent the spread of the incident. This involves isolating affected systems or networks to limit the impact and prevent further damage.
- During a cyber incident, what is the role of a 'crisis communication plan'?
- To facilitate internal communication within the incident response team
- To guide the dissemination of information to external parties
- To encrypt communications for security
- To monitor news and social media for incident-related information
Correct answer: To guide the dissemination of information to external parties
Correct answer: To guide the dissemination of information to external parties. Explanation: A crisis communication plan during a cyber incident outlines how information should be disseminated to external parties, including the media, customers, and stakeholders. It ensures accurate, timely, and consistent communication during and after an incident.
- In the aftermath of a cybersecurity incident, what is the main focus of 'recovery strategies'?
- Prosecuting the attackers
- Restoring systems and operations to normal
- Conducting a cost analysis of the incident
- Reviewing and updating security policies
Correct answer: Restoring systems and operations to normal
Correct answer: Restoring systems and operations to normal. Explanation: Recovery strategies in the aftermath of a cybersecurity incident focus on restoring systems and operations to normal. This involves repairing and rebuilding affected systems, restoring data, and ensuring that operations can resume securely and efficiently.
- In cybersecurity, what is an 'incident playbook' primarily used for?
- Documenting regulatory compliance
- Outlining specific procedures for responding to different types of incidents
- Recording the financial impact of incidents
- Training new members of the incident response team
Correct answer: Outlining specific procedures for responding to different types of incidents
Correct answer: Outlining specific procedures for responding to different types of incidents. Explanation: An incident playbook in cybersecurity is used to outline specific procedures for responding to various types of incidents. It provides a step-by-step guide to ensure a consistent and effective response to different security scenarios.
- What is the main purpose of conducting 'tabletop exercises' in incident response planning?
- To test the physical security measures of the organization
- To practice the incident response plan in a simulated environment
- To evaluate the technical skills of the response team
- To perform a detailed technical analysis of security tools
Correct answer: To practice the incident response plan in a simulated environment
Correct answer: To practice the incident response plan in a simulated environment. Explanation: Tabletop exercises in incident response planning involve practicing the incident response plan in a simulated environment. These exercises allow teams to discuss and rehearse their roles and responses to hypothetical scenarios, enhancing preparedness.
- Which factor is most critical when establishing the severity level of a cybersecurity incident?
- The technical skills of the incident response team
- The time of day when the incident occurred
- The impact on business operations and data
- The geographical location of the incident
Correct answer: The impact on business operations and data
Correct answer: The impact on business operations and data. Explanation: The severity level of a cybersecurity incident is most critically determined by its impact on business operations and data. This includes considerations like the extent of system compromise, data loss, and disruption to services.
- In incident response, what is the importance of 'root cause analysis'?
- To determine who is responsible for the incident
- To identify underlying vulnerabilities or flaws that led to the incident
- To calculate the financial damages caused by the incident
- To assess the performance of the incident response team
Correct answer: To identify underlying vulnerabilities or flaws that led to the incident
Correct answer: To identify underlying vulnerabilities or flaws that led to the incident. Explanation: Root cause analysis in incident response is critical for identifying the underlying vulnerabilities, flaws, or failures that led to the security incident. Understanding the root cause is essential to prevent similar incidents in the future.
- What is the role of 'situational awareness' in the context of cybersecurity incident response?
- To maintain a constant state of alertness for potential future incidents
- To manage the distribution of security patches
- To document the lessons learned from past incidents
- To track the financial expenditure on security measures
Correct answer: To maintain a constant state of alertness for potential future incidents
Correct answer: To maintain a constant state of alertness for potential future incidents. Explanation: Situational awareness in cybersecurity incident response involves maintaining a constant state of alertness and understanding of the current security environment. This helps in rapidly detecting and responding to potential future incidents.
- In the context of security architecture, what is the primary purpose of a Data Loss Prevention (DLP) system?
- To detect and prevent unauthorized access to the network
- To prevent the unauthorized transmission of sensitive data
- To filter malicious web traffic
- To provide a secure virtual environment for testing
Correct answer: To prevent the unauthorized transmission of sensitive data
Correct answer: To prevent the unauthorized transmission of sensitive data. Explanation: A Data Loss Prevention (DLP) system is primarily designed to detect and prevent the unauthorized transmission of sensitive data outside the corporate network. It monitors, detects, and blocks sensitive data while in-use (endpoint actions), in-motion (network traffic), and at-rest (data storage).
- Which security concept involves distributing a set of backup keys to trusted individuals for safekeeping?
- Key escrow
- Public key infrastructure (PKI)
- Multifactor authentication
- Symmetric encryption
Correct answer: Key escrow
Correct answer: Key escrow. Explanation: Key escrow refers to the security concept of distributing backup copies of cryptographic keys to one or more trusted third parties. This ensures that encrypted data can still be accessed in case the original key is lost, or if legal authorities require access.
- What is the primary function of a Security Information and Event Management (SIEM) system?
- To encrypt data transmissions
- To manage network configurations
- To aggregate and analyze security logs and events
- To scan for vulnerabilities in the network
Correct answer: To aggregate and analyze security logs and events
Correct answer: To aggregate and analyze security logs and events. Explanation: A Security Information and Event Management (SIEM) system primarily aggregates and analyzes security logs and events from multiple sources. It provides real-time analysis of security alerts generated by applications and network hardware, aiding in incident detection and response.
- In cybersecurity, what is the primary purpose of implementing a Zero Trust architecture?
- To reduce hardware costs
- To improve software compatibility
- To trust all users within the network perimeter
- To never trust, always verify, even within the network
Correct answer: To never trust, always verify, even within the network
Correct answer: To never trust, always verify, even within the network. Explanation: The primary purpose of a Zero Trust architecture in cybersecurity is to adopt a "never trust, always verify" approach. It requires verifying every user and device, both inside and outside the network perimeter, before granting access to resources.
- Which tool is primarily used for real-time monitoring of network traffic and packet analysis?
- Wireshark
- Nessus
- Snort
- Splunk
Correct answer: Wireshark
Correct answer: Wireshark. Explanation: Wireshark is a network protocol analyzer widely used for real-time monitoring and analysis of network traffic and packets. It captures and displays data packets in detail, enabling in-depth analysis of network issues and security threats.
- What is the function of a Web Application Firewall (WAF) in cybersecurity?
- To protect against unauthorized data extraction from databases
- To filter, monitor, and block HTTP traffic to and from a web application
- To encrypt web traffic
- To balance load among multiple web servers
Correct answer: To filter, monitor, and block HTTP traffic to and from a web application
Correct answer: To filter, monitor, and block HTTP traffic to and from a web application. Explanation: A Web Application Firewall (WAF) is specifically designed to filter, monitor, and block HTTP traffic to and from a web application. It protects web applications from various attacks such as cross-site scripting (XSS), SQL injection, and others.
- Which technology is primarily used to isolate and run suspicious code or files in a controlled environment?
- Virtual Private Network (VPN)
- Intrusion Prevention System (IPS)
- Sandbox
- Data Loss Prevention (DLP)
Correct answer: Sandbox
Correct answer: Sandbox. Explanation: A sandbox in cybersecurity is a technology used to isolate and run suspicious code, files, or applications in a controlled, secure environment. This allows for the safe examination and analysis of potentially malicious software without risking the main network or system.
- What is the primary purpose of a Network Access Control NAC system?
- To encrypt data in transit
- To monitor server performance
- To manage and enforce security policies for network access
- To provide data redundancy
Correct answer: To manage and enforce security policies for network access
Correct answer: To manage and enforce security policies for network access. Explanation: The primary purpose of a Network Access Control NAC system is to manage and enforce security policies for devices attempting to access the network. NAC systems can deny network access to non-compliant devices, enforce security policy compliance, and segment network access based on identity or compliance status.
- In the context of cloud security, what is the main function of a Cloud Access Security Broker CASB?
- To balance the load across multiple cloud servers
- To provide additional network bandwidth
- To act as a mediator between users and cloud service providers for security
- To backup cloud data to on-premises servers
Correct answer: To act as a mediator between users and cloud service providers for security
Correct answer: To act as a mediator between users and cloud service providers for security. Explanation: A Cloud Access Security Broker CASB acts as a security policy enforcement point, positioned between cloud service consumers and cloud service providers. It ensures that network traffic complies with the organization's security policies and helps manage and secure cloud application usage.
- What is the primary role of an Intrusion Detection System (IDS) in a network security architecture?
- To encrypt data transmissions
- To detect and alert on potential network intrusions
- To manage user authentication
- To provide a secure tunnel for remote access
Correct answer: To detect and alert on potential network intrusions
Correct answer: To detect and alert on potential network intrusions. Explanation: The primary role of an Intrusion Detection System (IDS) in network security is to detect and alert on potential network intrusions. It monitors network traffic and analyzes it for signs of suspicious activity or known threats, thus providing an essential layer of security through surveillance.
- Which type of security testing focuses on evaluating software by observing its execution and monitoring responses to different inputs?
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Manual code review
- Fuzz testing
Correct answer: Dynamic Application Security Testing (DAST)
Correct answer: Dynamic Application Security Testing (DAST). Explanation: Dynamic Application Security Testing (DAST) involves evaluating software by executing it and monitoring its responses to different inputs. It identifies security vulnerabilities in running applications, often from an external perspective.
- What is the primary purpose of the Security Assertion Markup Language (SAML) in cloud security?
- To encrypt data in transit
- To provide a framework for exchanging authentication and authorization data
- To manage network access control
- To monitor cloud infrastructure
Correct answer: To provide a framework for exchanging authentication and authorization data
Correct answer: To provide a framework for exchanging authentication and authorization data. Explanation: SAML (Security Assertion Markup Language) is used in cloud security to provide a framework for exchanging authentication and authorization data between parties, particularly for web browser single sign-on (SSO).
- In cybersecurity, what is the function of a Threat Intelligence Platform (TIP)?
- To encrypt network communications
- To collect, aggregate, and analyze threat data
- To manage software patches
- To perform vulnerability scanning
Correct answer: To collect, aggregate, and analyze threat data
Correct answer: To collect, aggregate, and analyze threat data. Explanation: A Threat Intelligence Platform (TIP) is designed to collect, aggregate, and analyze threat data from multiple sources. It assists in understanding and responding to threats by providing contextual information and intelligence.
- Which type of tool is most effective for detecting vulnerabilities in a network before an attacker does?
- Network Performance Monitor (NPM)
- Intrusion Detection System (IDS)
- Vulnerability Scanner
- Firewall
Correct answer: Vulnerability Scanner
Correct answer: Vulnerability Scanner. Explanation: Vulnerability scanners are specifically designed to detect security vulnerabilities in a network or system. They help in identifying weaknesses before they can be exploited by attackers.
- In a cybersecurity context, what is the main purpose of implementing microsegmentation in a network?
- To reduce data transmission times
- To increase network bandwidth
- To enhance security by isolating workloads
- To centralize network management
Correct answer: To enhance security by isolating workloads
Correct answer: To enhance security by isolating workloads. Explanation: Microsegmentation in cybersecurity is used to enhance security by isolating workloads from one another. This prevents lateral movement of threats within the network, thereby containing any potential breaches to smaller segments.
- What is the primary goal of Security Orchestration, Automation, and Response (SOAR)?
- To automate incident response and security workflows
- To encrypt sensitive data at rest
- To monitor user activities
- To balance network traffic
Correct answer: To automate incident response and security workflows
Correct answer: To automate incident response and security workflows. Explanation: Security Orchestration, Automation, and Response (SOAR) aims to automate and streamline incident response and security operations workflows. It integrates various security tools and systems, enabling automated responses to security incidents.
- Which technology is primarily used to protect sensitive data by transforming it into an unreadable format?
- Tokenization
- Firewall
- Intrusion Prevention System (IPS)
- Data Loss Prevention (DLP)
Correct answer: Tokenization
Correct answer: Tokenization. Explanation: Tokenization is used to protect sensitive data by replacing it with unique identification symbols (tokens) that retain all the essential information without compromising its security. It is commonly used to secure payment card data and personally identifiable information (PII).
- What is the main function of a Next-Generation Firewall (NGFW) in cybersecurity?
- To perform advanced network traffic analysis
- To provide a virtual environment for application testing
- To manage user identities and access
- To monitor server performance
Correct answer: To perform advanced network traffic analysis
Correct answer: To perform advanced network traffic analysis. Explanation: A Next-Generation Firewall (NGFW) goes beyond traditional firewall capabilities by performing advanced network traffic analysis. This includes application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.
- In cybersecurity, what is the primary role of an Endpoint Detection and Response (EDR) tool?
- To manage network configurations
- To detect and respond to threats on endpoint devices
- To balance loads across servers
- To encrypt data storage
Correct answer: To detect and respond to threats on endpoint devices
Correct answer: To detect and respond to threats on endpoint devices. Explanation: Endpoint Detection and Response (EDR) tools are designed to detect and respond to cybersecurity threats and incidents on endpoint devices. They provide continuous monitoring and automated response capabilities to address threats like malware, ransomware, and other endpoint-based attacks.
- In cybersecurity, what is the purpose of a Secure Web Gateway (SWG)?
- To manage web traffic bandwidth
- To enforce company policies on internet usage
- To encrypt web communications
- To provide secure remote access
Correct answer: To enforce company policies on internet usage
Correct answer: To enforce company policies on internet usage. Explanation: A Secure Web Gateway (SWG) is primarily used to enforce company policies on internet usage. It filters unwanted software/malware from user-initiated web/internet traffic and enforces corporate and regulatory policy compliance.
- Which cybersecurity tool is specifically designed to protect against malware and exploits targeting mobile devices?
- Mobile Device Management (MDM)
- Network Intrusion Prevention System (NIPS)
- Data Loss Prevention (DLP)
- Endpoint Protection Platform (EPP)
Correct answer: Mobile Device Management (MDM)
Correct answer: Mobile Device Management (MDM). Explanation: Mobile Device Management (MDM) is designed to protect against malware and exploits targeting mobile devices. It allows for the management and security of mobile devices like smartphones and tablets, encompassing everything from enforcing policies and updates to securing them against threats.
- Which technology is primarily used to detect and prevent data exfiltration via email in an organization?
- Email Gateway Security
- Intrusion Detection System (IDS)
- Data Encryption
- Network Access Control (NAC)
Correct answer: Email Gateway Security
Correct answer: Email Gateway Security. Explanation: Email Gateway Security technologies are primarily used to detect and prevent data exfiltration via email. They monitor and control inbound and outbound email traffic to protect against email-based threats and data leakage.
- What is the main purpose of employing a Security Assertion Markup Language (SAML) in a federated identity management system?
- To encrypt data transmissions
- To manage network configurations
- To facilitate single sign-on (SSO) across different systems
- To monitor server performance
Correct answer: To facilitate single sign-on (SSO) across different systems
Correct answer: To facilitate single sign-on (SSO) across different systems. Explanation: Security Assertion Markup Language (SAML) is used in federated identity management systems to facilitate single sign-on (SSO) across different systems. It allows users to log in once and gain access to multiple systems without re-authenticating.
- In the context of security architecture, what is a primary function of a Botnet Detection System?
- To manage software updates across the network
- To detect and prevent botnet activities in the network
- To encrypt data storage
- To balance network traffic
Correct answer: To detect and prevent botnet activities in the network
Correct answer: To detect and prevent botnet activities in the network. Explanation: A Botnet Detection System is designed to detect and prevent botnet activities within a network. It identifies patterns and behaviors indicative of botnet command and control, as well as botnet-driven attacks like Distributed Denial of Service (DDoS).
- What role does a Security Information and Event Management (SIEM) system play in the Incident Response process?
- Encrypting incident data
- Managing network configurations during incidents
- Aggregating and correlating logs for incident analysis
- Providing a secure tunnel for incident data transmission
Correct answer: Aggregating and correlating logs for incident analysis
Correct answer: Aggregating and correlating logs for incident analysis. Explanation: In the Incident Response process, a Security Information and Event Management (SIEM) system plays a critical role in aggregating and correlating logs from various sources. This helps in analyzing incidents by providing a consolidated view of security-related data.
- Which tool is essential for identifying unknown vulnerabilities in software applications before they are deployed?
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Network Traffic Analysis Tool
- Intrusion Prevention System (IPS)
Correct answer: Static Application Security Testing (SAST)
Correct answer: Static Application Security Testing (SAST). Explanation: Static Application Security Testing (SAST) is essential for identifying unknown vulnerabilities in software applications before deployment. It analyzes source code or compiled versions of code to find security flaws without executing the programs.
- In a CySA+ vulnerability management report, which element communicates the relative urgency of remediating a specific finding to stakeholders?
- The affected host's MAC address
- The risk score (such as a CVSS-based severity rating)
- The scanner's software version
- The total number of open ports on the host
Correct answer: The risk score (such as a CVSS-based severity rating)
Correct answer: The risk score (such as a CVSS-based severity rating). Explanation: A vulnerability report should include a risk score, typically derived from CVSS, so stakeholders can prioritize remediation. The score conveys urgency and likely impact, helping the organization decide which vulnerabilities to fix first rather than treating every finding equally.
- An analyst is preparing a vulnerability report and notices the same critical finding reappears on a host after each monthly scan. Which reporting element best captures this?
- Recurrence
- Affected hosts
- Compliance mapping
- Executive summary
Correct answer: Recurrence
Correct answer: Recurrence. Explanation: Recurrence indicates that a previously identified vulnerability has reappeared, often signaling that a patch was reverted, a control was bypassed, or remediation was incomplete. Tracking recurrence in reports highlights systemic process gaps rather than one-off findings.
- A service-level agreement (SLA) requires critical vulnerabilities to be remediated within 15 days, but a legacy industrial system cannot be patched without halting production. What is this situation an example of?
- A false positive
- An inhibitor to remediation
- A zero-day vulnerability
- A compliance report
Correct answer: An inhibitor to remediation
Correct answer: An inhibitor to remediation. Explanation: Inhibitors to remediation are factors that prevent or delay fixing a vulnerability. Legacy systems, business process interruption, and degrading functionality are common inhibitors that must be documented and communicated so risk owners can accept the risk or approve compensating controls.
- When a vulnerability cannot be immediately patched due to business constraints, which action plan element reduces risk in the interim?
- Deleting the vulnerability from the report
- Implementing a compensating control
- Lowering the asset's CVSS score manually
- Disabling the vulnerability scanner
Correct answer: Implementing a compensating control
Correct answer: Implementing a compensating control. Explanation: A compensating control mitigates risk when direct remediation (patching) is not feasible. Examples include network segmentation, additional monitoring, or restricting access. Action plans should document compensating controls so stakeholders understand how residual risk is being managed.
- Which of the following is a key performance indicator (KPI) commonly tracked in vulnerability management reporting?
- Number of employees in the SOC
- Mean time to remediate (MTTR) vulnerabilities
- The brand of firewall in use
- The color scheme of the dashboard
Correct answer: Mean time to remediate (MTTR) vulnerabilities
Correct answer: Mean time to remediate (MTTR) vulnerabilities. Explanation: Mean time to remediate (MTTR) is a core KPI showing how long it takes to fix vulnerabilities after discovery. Trending MTTR over time demonstrates whether the remediation program is improving and whether SLA/SLO targets are being met.
- A security manager asks for a report showing the most prevalent weaknesses across the environment so leadership can focus resources. Which metric best satisfies this request?
- A list of the top 10 vulnerabilities by frequency and risk
- A raw packet capture of all traffic
- The Windows registry of each host
- A list of all installed fonts
Correct answer: A list of the top 10 vulnerabilities by frequency and risk
Correct answer: A list of the top 10 vulnerabilities by frequency and risk. Explanation: A 'top 10 vulnerabilities' metric highlights the most common or highest-risk findings, helping leadership prioritize remediation efforts where they will have the greatest impact. It is a standard reporting metric in CySA+ Domain 4.
- What does a Service-Level Objective (SLO) define in the context of vulnerability management metrics?
- The maximum salary for security analysts
- A specific, measurable target (such as patching criticals within 7 days) used to gauge performance
- The legal liability of a vendor
- The physical location of the data center
Correct answer: A specific, measurable target (such as patching criticals within 7 days) used to gauge performance
Correct answer: A specific, measurable target (such as patching criticals within 7 days) used to gauge performance. Explanation: An SLO is a measurable target that supports a broader SLA. For vulnerability management, an SLO might state that critical vulnerabilities are remediated within 7 days. Reporting against SLOs shows whether the program is meeting its commitments.
- Why is it important to identify the correct stakeholders when distributing a vulnerability or incident report?
- To maximize the file size of the report
- To ensure the right audiences receive information tailored to their role and decision-making needs
- To guarantee the report is written only in technical jargon
- To avoid using any encryption
Correct answer: To ensure the right audiences receive information tailored to their role and decision-making needs
Correct answer: To ensure the right audiences receive information tailored to their role and decision-making needs. Explanation: Effective communication requires identifying stakeholders (executives, IT operations, legal, compliance, customers) and tailoring the message. Executives need risk and business impact; technicians need remediation detail. Sending the right content to the right audience drives appropriate action.
- An executive audience is reading a security report. Which section is specifically written for them?
- The raw vulnerability scan XML output
- The executive summary focusing on business risk and impact
- The list of exact exploit payloads used
- The full packet capture appendix
Correct answer: The executive summary focusing on business risk and impact
Correct answer: The executive summary focusing on business risk and impact. Explanation: An executive summary distills findings into business risk, impact, and high-level recommendations without deep technical detail. Executives make funding and risk-acceptance decisions, so the summary must communicate 'what it means to the business,' not granular technical data.
- Which type of report demonstrates that an organization meets the requirements of a regulation or standard such as PCI DSS or HIPAA?
- A compliance report
- A packet capture report
- A penetration testing scope document
- A network topology diagram
Correct answer: A compliance report
Correct answer: A compliance report. Explanation: A compliance report maps the organization's security posture and remediation activities to specific regulatory or framework requirements (PCI DSS, HIPAA, GDPR, etc.). It provides evidence to auditors and regulators that mandated controls are in place.
- During incident response, which activity formally notifies leadership and triggers the response process based on defined criteria?
- Incident declaration
- Vulnerability scanning
- Asset inventory
- Patch deployment
Correct answer: Incident declaration
Correct answer: Incident declaration. Explanation: Incident declaration is the formal recognition that an event meets the criteria of an incident, which activates the response plan and notification chain. Clear declaration criteria ensure consistent escalation and that the right people are engaged promptly.
- An analyst identifies that a contained incident now involves regulated customer data and possible legal exposure. What is the appropriate next communication step?
- Close the ticket without notes
- Escalate to the appropriate stakeholders per the escalation path
- Delete the affected logs
- Re-image every workstation immediately without authorization
Correct answer: Escalate to the appropriate stakeholders per the escalation path
Correct answer: Escalate to the appropriate stakeholders per the escalation path. Explanation: Escalation follows a predefined path to involve legal, management, communications, and possibly regulators when an incident's severity or scope grows. Proper escalation ensures decisions about disclosure, containment, and notification are made by the right authorities.
- What is the primary purpose of a root cause analysis (RCA) during post-incident activity?
- To assign blame to an individual employee
- To determine the underlying reason the incident occurred so it can be prevented in the future
- To calculate the firewall's throughput
- To increase the number of open vulnerabilities
Correct answer: To determine the underlying reason the incident occurred so it can be prevented in the future
Correct answer: To determine the underlying reason the incident occurred so it can be prevented in the future. Explanation: Root cause analysis identifies the fundamental reason an incident happened (e.g., an unpatched system, a phishing-susceptible process) rather than just the symptoms. Addressing the root cause prevents recurrence and is a key input to the lessons-learned process.
- When are 'lessons learned' meetings most appropriately conducted in the incident response life cycle?
- Before the incident is detected
- During the post-incident (post-mortem) phase after recovery
- Only when an audit is requested years later
- Never, since they expose weaknesses
Correct answer: During the post-incident (post-mortem) phase after recovery
Correct answer: During the post-incident (post-mortem) phase after recovery. Explanation: Lessons-learned (post-mortem) reviews occur after the incident is resolved and recovery is complete. They evaluate what went well and what should improve, feeding updates into playbooks, controls, and training to strengthen future response.
- Which metric best communicates how quickly a SOC identifies an active incident?
- Mean time to detect (MTTD)
- Total disk space used
- Number of cables in the rack
- Average employee tenure
Correct answer: Mean time to detect (MTTD)
Correct answer: Mean time to detect (MTTD). Explanation: Mean time to detect (MTTD) measures the average time between when an incident begins and when it is identified. Along with mean time to respond (MTTR), it is a core incident-response KPI that demonstrates detection capability and program effectiveness.
- Why should incident reports and sensitive vulnerability findings be distributed through secure channels?
- To reduce the report's word count
- To prevent unauthorized disclosure of details an adversary could exploit
- To make the report load faster on mobile devices
- Because regulations forbid writing reports at all
Correct answer: To prevent unauthorized disclosure of details an adversary could exploit
Correct answer: To prevent unauthorized disclosure of details an adversary could exploit. Explanation: Reports contain sensitive information such as exploitable weaknesses, affected systems, and response gaps. Secure distribution (encryption, access controls, need-to-know) prevents this information from reaching attackers or unauthorized parties, which is a core reporting consideration.
- A regulation requires notifying affected individuals within a fixed time window after a confirmed data breach. Which reporting consideration does this represent?
- A mandatory regulatory/legal reporting requirement
- An optional marketing communication
- A vulnerability recurrence metric
- A compensating control
Correct answer: A mandatory regulatory/legal reporting requirement
Correct answer: A mandatory regulatory/legal reporting requirement. Explanation: Many regulations (e.g., GDPR, state breach-notification laws, HIPAA) impose mandatory reporting timelines and recipients after a breach. Analysts must understand these obligations so legal and compliance teams can meet deadlines and avoid penalties.
- When communicating with non-technical executives versus the technical operations team about the same vulnerability, the analyst should primarily adjust which aspect of the message?
- The truthfulness of the findings
- The level of technical detail and the framing of business impact
- The CVSS scoring system used
- Whether the vulnerability actually exists
Correct answer: The level of technical detail and the framing of business impact
Correct answer: The level of technical detail and the framing of business impact. Explanation: Audience-appropriate communication keeps the facts the same but adjusts depth and framing. Executives need risk, cost, and business-impact language to make decisions; operations teams need technical remediation steps. Tailoring the message ensures each audience can act effectively.
- A SOC analyst is reviewing firewall connection logs and notices that an internal workstation opens a small outbound HTTPS connection to the same external IP address every 60 seconds, give or take a few seconds, around the clock with very little data transferred each time. Which malicious activity does this pattern most strongly indicate?
- Credentialed vulnerability scanning of the workstation
- A distributed denial-of-service attack against the workstation
- Normal software update polling
- Beaconing to a command-and-control server
Correct answer: Beaconing to a command-and-control server
This pattern indicates beaconing to a command-and-control (C2) server. Beaconing is the periodic, low-volume "check-in" traffic that compromised malware sends to its C2 infrastructure at a fairly regular interval (often with small random jitter) to receive instructions. The regular timing, fixed destination, and tiny payloads are the giveaway, which is why analysts hunt for beaconing by looking for periodic outbound connections in connection logs. A DDoS would be high-volume inbound traffic, not small regular outbound check-ins.
- After a phishing victim's laptop is compromised, the attacker uses the victim's harvested domain credentials to authenticate to several other internal servers over SMB and RDP, expanding access without deploying new malware. In the MITRE ATT&CK framework, this behavior is best categorized as which tactic?
- Exfiltration
- Initial access
- Reconnaissance
- Lateral movement
Correct answer: Lateral movement
This behavior is best categorized as lateral movement. Lateral movement (MITRE ATT&CK tactic TA0008) covers the techniques an adversary uses to move through a network from an initial foothold to other systems, often by reusing stolen credentials and built-in remote-access protocols such as SMB and RDP. Initial access refers to gaining the first foothold (the phishing step here), and exfiltration is moving data out, so neither describes the spread across internal hosts.
- A security team wants to reduce analyst workload by automatically enriching alerts, querying threat intelligence, and executing predefined containment playbooks when a high-confidence detection fires. Which technology is specifically designed to orchestrate and automate these response workflows across multiple security tools?
- A network intrusion detection system
- SIEM (Security Information and Event Management)
- A web application firewall
- SOAR (Security Orchestration, Automation, and Response)
Correct answer: SOAR (Security Orchestration, Automation, and Response)
SOAR (Security Orchestration, Automation, and Response) is specifically designed to orchestrate and automate response workflows across multiple security tools. SOAR platforms integrate disparate tools, run playbooks, and automate repetitive tasks such as alert enrichment and containment, reducing manual effort, human error, and response time. A SIEM, by contrast, focuses on collecting, normalizing, correlating, and alerting on log and event data; it detects and surfaces issues, while SOAR coordinates and automates the response to them.
- An analyst is explaining the difference between an indicator of compromise (IoC) and an indicator of attack (IoA) to a junior teammate. Which statement correctly distinguishes the two?
- An IoC is a type of firewall rule, while an IoA is a type of antivirus signature
- An IoC predicts future attacks, while an IoA confirms a system is patched
- An IoC is forensic evidence that a breach has already occurred, while an IoA reveals the intent and behavior of an attack in progress
- An IoC and an IoA are identical terms used interchangeably
Correct answer: An IoC is forensic evidence that a breach has already occurred, while an IoA reveals the intent and behavior of an attack in progress
The correct distinction is that an IoC is forensic evidence that a breach has already occurred, while an IoA reveals the intent and behavior of an attack in progress. IoCs are artifacts left behind after the fact, such as malicious file hashes, attacker IP addresses, suspicious domains, or registry changes. IoAs focus on the adversary's actions and objectives as they unfold, such as a process spawning a credential-dumping tool, allowing detection earlier in the attack chain regardless of the specific tools used.
- A malware analyst needs to extract the behavior of a suspicious executable, including the network connections it makes and the files it drops, but wants to do so without studying its raw code line by line. Which analysis approach should the analyst use, and where should it be performed?
- Static analysis, by reading the file's hash value against a blocklist
- Dynamic analysis, by running the sample directly on a domain controller
- Dynamic analysis, by detonating the sample inside an isolated sandbox
- Static analysis, by disassembling the binary on the production host
Correct answer: Dynamic analysis, by detonating the sample inside an isolated sandbox
The analyst should use dynamic analysis, by detonating the sample inside an isolated sandbox. Dynamic analysis observes a program's behavior while it actually runs, capturing the processes, file system changes, and network callouts it produces, which is exactly what the analyst needs. Static analysis instead inspects the code, strings, and structure of a file without executing it. Running malware in an isolated sandbox keeps the live network safe, so detonating it on a production host or domain controller would be reckless.
- A security analyst references CVE-2024-XXXXX in a remediation ticket. What does a CVE identifier actually represent?
- A signature an intrusion detection system uses to match malicious traffic
- A numeric score from 0 to 10 that rates how severe a vulnerability is
- A standardized, unique public identifier for a specific known software vulnerability
- A list of vulnerabilities currently being exploited in active attacks
Correct answer: A standardized, unique public identifier for a specific known software vulnerability
A CVE (Common Vulnerabilities and Exposures) is a standardized, unique public identifier assigned to a specific publicly disclosed vulnerability so that tools, vendors, and analysts can all reference the same flaw unambiguously. It is a catalog entry and name, not a severity score; the numeric 0-to-10 rating is the CVSS score, which is a separate scoring system applied to the vulnerability the CVE names.
- An analyst is explaining the difference between CVE and CVSS to a junior teammate. Which statement is correct?
- CVE measures severity from 0 to 10 while CVSS assigns a unique tracking name
- CVE uniquely identifies a vulnerability while CVSS provides a numeric score of its severity
- CVE and CVSS are two interchangeable names for the same severity rating
- CVE lists exploited vulnerabilities while CVSS lists patched vulnerabilities
Correct answer: CVE uniquely identifies a vulnerability while CVSS provides a numeric score of its severity
CVE uniquely identifies a vulnerability while CVSS provides a numeric score of its severity. CVE (Common Vulnerabilities and Exposures) is a naming/identification scheme that assigns a unique ID such as CVE-2024-1234; CVSS (Common Vulnerability Scoring System) is the framework that produces a 0-to-10 severity score for that vulnerability. They work together: the CVE names the flaw, the CVSS rates how bad it is.
- A vulnerability has a CVSS v3.1 base score of 7.4. Which qualitative severity rating does that score fall into?
Correct answer: High
A CVSS v3.1 base score of 7.4 falls into the High severity band. The standard v3.1 qualitative ranges are None (0.0), Low (0.1 to 3.9), Medium (4.0 to 6.9), High (7.0 to 8.9), and Critical (9.0 to 10.0). Because 7.4 is between 7.0 and 8.9 it is rated High, not Medium (which tops out at 6.9) or Critical (which begins at 9.0).
- Which set of values correctly maps CVSS v3.1 base scores to their qualitative severity labels?
- 0.1-3.9 Low, 4.0-6.9 Medium, 7.0-8.9 High, 9.0-10.0 Critical
- 0.1-2.9 Low, 3.0-5.9 Medium, 6.0-8.9 High, 9.0-10.0 Critical
- 0.1-3.9 Low, 4.0-7.9 Medium, 8.0-8.9 High, 9.0-10.0 Critical
- 0.1-4.9 Low, 5.0-7.9 Medium, 8.0-9.4 High, 9.5-10.0 Critical
Correct answer: 0.1-3.9 Low, 4.0-6.9 Medium, 7.0-8.9 High, 9.0-10.0 Critical
The correct mapping is Low 0.1-3.9, Medium 4.0-6.9, High 7.0-8.9, and Critical 9.0-10.0, with 0.0 rated None. These are the official CVSS v3.1 qualitative severity rating ranges published by FIRST. Memorizing these boundaries lets an analyst translate a raw numeric score into the severity wording used in reports and SLAs.
- What does the CVSS base score group specifically measure about a vulnerability?
- How likely the vulnerability is to be exploited in the next 30 days
- The intrinsic, unchanging characteristics of the vulnerability such as exploitability and impact
- Whether a patch is currently available from the vendor
- The business value of the specific asset affected by the vulnerability
Correct answer: The intrinsic, unchanging characteristics of the vulnerability such as exploitability and impact
The CVSS base score measures the intrinsic, unchanging characteristics of the vulnerability such as exploitability and impact. Base metrics reflect qualities constant across time and environments, including Attack Vector, Attack Complexity, Privileges Required, User Interaction, Scope, and impact to Confidentiality, Integrity, and Availability. Likelihood of exploitation over time is captured by temporal metrics and asset value by environmental metrics, not the base group.
- A CVSS vector string for a flaw shows the Attack Vector metric as Network (AV:N). What does this indicate?
- The vulnerability requires the attacker to already hold administrator privileges
- The attacker must have physical access to the device to exploit the flaw
- The flaw can only be triggered from an adjacent device on the same subnet
- The vulnerability can be exploited remotely across a network without local or physical access
Correct answer: The vulnerability can be exploited remotely across a network without local or physical access
An Attack Vector of Network (AV:N) indicates the vulnerability can be exploited remotely across a network, potentially from the internet, without local or physical access. The four Attack Vector values are Network, Adjacent, Local, and Physical, ranging from most remote to most constrained. A Network value generally raises the score because it widens the population of potential attackers compared with the Physical or Local values.
- When manually deriving a CVSS v3.1 score, which inputs feed the Exploitability sub-score of the base metric group?
- The asset's confidentiality, integrity, and availability requirements
- Attack Vector, Attack Complexity, Privileges Required, and User Interaction
- Confidentiality, Integrity, and Availability impact only
- Exploit Code Maturity, Remediation Level, and Report Confidence
Correct answer: Attack Vector, Attack Complexity, Privileges Required, and User Interaction
The Exploitability sub-score is derived from Attack Vector, Attack Complexity, Privileges Required, and User Interaction. The base group combines this exploitability sub-score with the impact sub-score (Confidentiality, Integrity, Availability) and is further shaped by Scope. Exploit Code Maturity and Remediation Level belong to the temporal group, while CIA security requirements belong to the environmental group.
- Which CVSS metric group adjusts a base score over time based on factors like exploit code maturity and patch availability?
- Base metrics
- Temporal metrics
- Environmental metrics
- Exploitability metrics
Correct answer: Temporal metrics
Temporal metrics adjust a base score over time using Exploit Code Maturity, Remediation Level, and Report Confidence. As proof-of-concept code matures into a weaponized exploit or as an official patch ships, the temporal score shifts to reflect the changing real-world picture. Base metrics stay fixed, and environmental metrics tailor the score to a specific organization's deployment rather than to time.
- An organization wants its CVSS scores to reflect that a vulnerable server holds highly sensitive data and sits behind strict network segmentation. Which CVSS metric group should it apply?
- Temporal metrics
- Environmental metrics
- Base metrics
- Report Confidence metrics
Correct answer: Environmental metrics
Environmental metrics let an organization tailor a CVSS score to its own deployment by adjusting for asset criticality and existing mitigations. They include the modified base metrics plus Confidentiality, Integrity, and Availability security requirements, so a server holding sensitive data can be scored higher while network segmentation can lower the modified attack vector. Temporal metrics track exploit maturity over time and do not account for local asset value.
- A vulnerability management program follows a repeatable lifecycle. Which sequence best represents the vulnerability management lifecycle?
- Contain, eradicate, recover, then conduct lessons learned
- Reconnaissance, weaponization, delivery, exploitation, installation
- Identify and scan, analyze and prioritize, remediate or mitigate, then verify and report
- Plan, design, implement, then decommission the network
Correct answer: Identify and scan, analyze and prioritize, remediate or mitigate, then verify and report
The vulnerability management lifecycle moves from identifying and scanning assets, to analyzing and prioritizing findings, to remediating or mitigating them, and then to verifying the fix and reporting results, with the cycle repeating continuously. The contain/eradicate/recover sequence describes the incident response lifecycle, and reconnaissance/weaponization/delivery describes an attack kill chain, neither of which is the vulnerability management lifecycle.
- What is the primary purpose of a vulnerability scan?
- To systematically identify and catalog known weaknesses across systems so they can be prioritized and fixed
- To monitor live network traffic for signatures of ongoing attacks
- To encrypt sensitive data so attackers cannot read it if stolen
- To actively exploit weaknesses and pivot deeper into a network to prove impact
Correct answer: To systematically identify and catalog known weaknesses across systems so they can be prioritized and fixed
The primary purpose of a vulnerability scan is to systematically identify and catalog known weaknesses, such as missing patches and misconfigurations, across systems so they can be prioritized and remediated. A scan reports on potential weaknesses; it generally does not exploit them, which is what a penetration test does. Monitoring live traffic for attack signatures is the job of an IDS, not a vulnerability scanner.
- A credentialed (authenticated) vulnerability scan differs from a non-credentialed scan primarily in that it:
- Logs into the target with valid credentials to inspect installed software, patches, and configurations from the inside
- Sends more network packets per second to find the maximum number of open ports
- Avoids detection by passively listening rather than probing the host
- Only tests the perimeter firewall and never touches internal hosts
Correct answer: Logs into the target with valid credentials to inspect installed software, patches, and configurations from the inside
A credentialed scan logs into the target with valid credentials to inspect installed software, patch levels, and configuration settings from the inside, producing far more accurate and complete results with fewer false positives. A non-credentialed scan only sees what is exposed from the outside, much like an unauthenticated attacker, so it misses many host-level details a credentialed scan can confirm.
- An analyst runs a non-credentialed scan against a web server and the report flags many findings as potential but unconfirmed. Why does a non-credentialed scan tend to produce this kind of result?
- It always reports fewer findings than a credentialed scan because it sees more detail
- Without authentication it can only infer issues from external responses, so it cannot confirm patch levels and yields more false positives
- Without authentication it has full read access to the registry and reports only confirmed findings
- It runs an agent locally on the host and therefore confirms every result
Correct answer: Without authentication it can only infer issues from external responses, so it cannot confirm patch levels and yields more false positives
Because a non-credentialed scan cannot log in, it can only infer issues from external service responses and banner versions, so it cannot confirm actual patch levels and tends to produce more false positives and unconfirmed findings. This is the view an unauthenticated attacker would have. A credentialed scan, by contrast, authenticates and reads local state, confirming far more findings with greater accuracy.
- A team needs continuous visibility into endpoints that frequently disconnect from the corporate network. Which scanning approach is best suited, and why?
- Agentless network scanning, because it requires no software and works only while the host is online
- Passive scanning of a SPAN port, because it captures all host configuration data
- Agent-based scanning, because a locally installed agent collects data even when the host is off-network and reports back when reconnected
- Physical port scanning, because it inventories hardware regardless of connectivity
Correct answer: Agent-based scanning, because a locally installed agent collects data even when the host is off-network and reports back when reconnected
Agent-based scanning fits roaming or intermittently connected endpoints because a lightweight agent installed on the host collects vulnerability and configuration data locally and reports it back whenever the device reconnects, even if it was off-network during the scan window. Agentless scanning depends on reaching the host over the network at scan time, so it misses devices that are disconnected.
- A SOC wants to discover vulnerable systems without sending any probe packets that might disrupt fragile operational technology devices. Which technique meets this requirement?
- Fuzzing each device with malformed input to find crashes
- Aggressive port scanning with full TCP connect attempts
- Passive vulnerability scanning that analyzes captured network traffic to fingerprint systems and detect weaknesses
- Active credentialed scanning that authenticates to each device
Correct answer: Passive vulnerability scanning that analyzes captured network traffic to fingerprint systems and detect weaknesses
Passive vulnerability scanning analyzes captured network traffic, such as from a mirror or SPAN port, to fingerprint systems and infer vulnerabilities without sending probe packets, making it safe for fragile OT and ICS environments. Active scanning, port scanning, and fuzzing all transmit traffic or input to the targets, which can disrupt sensitive devices, so they do not satisfy the no-probe requirement.
- What distinguishes active vulnerability scanning from passive vulnerability scanning?
- Active scanning requires credentials, while passive scanning is always credentialed
- Active scanning observes traffic silently, while passive scanning sends probe packets
- Active scanning sends probes directly to targets, while passive scanning only observes existing traffic
- Active scanning only works on web applications, while passive scanning only works on databases
Correct answer: Active scanning sends probes directly to targets, while passive scanning only observes existing traffic
Active scanning sends probes directly to targets to elicit responses and confirm weaknesses, while passive scanning only observes existing network traffic to infer them. Active scanning is more thorough but generates traffic that can be detected or can disrupt sensitive systems; passive scanning is non-intrusive and stealthier but limited to what it can observe and cannot test for weaknesses that never appear in monitored traffic.
- In vulnerability scanning, what is a false positive?
- A vulnerability that has been confirmed and remediated
- A finding where the scanner misses a vulnerability that is truly present
- A vulnerability that has a publicly available exploit
- A finding where the scanner reports a vulnerability that does not actually exist on the system
Correct answer: A finding where the scanner reports a vulnerability that does not actually exist on the system
A false positive is a finding where the scanner reports a vulnerability that does not actually exist, for example flagging a flaw that was already patched via a backported fix the scanner could not detect. Analysts must validate findings so they do not waste effort on phantom issues. By contrast, a false negative is the dangerous opposite: a real vulnerability the scanner fails to report at all.
- An analyst is comparing two scan errors. Which statement correctly contrasts a false positive with a false negative?
- A false positive is always more dangerous than a false negative
- A false positive reports a vulnerability that is not real, while a false negative fails to report one that is real
- Both describe correctly identified vulnerabilities, differing only in severity
- A false positive fails to report a real vulnerability, while a false negative reports one that is not real
Correct answer: A false positive reports a vulnerability that is not real, while a false negative fails to report one that is real
A false positive reports a vulnerability that is not real, while a false negative fails to report one that is genuinely present. False positives waste analyst time chasing non-issues, but false negatives are generally more dangerous because a real exposure goes undetected and unremediated. Tuning scan configurations and using credentialed scans helps reduce both error types.
- A scanner reports a critical vulnerability on a server, but the analyst confirms the patch was actually applied via a vendor backport that did not change the version banner. How should this finding be classified and handled?
- As a confirmed critical that must be patched again immediately
- As a zero-day that should trigger incident response
- As a false negative requiring an additional deeper scan
- As a false positive that should be validated, documented, and tuned out so it does not recur
Correct answer: As a false positive that should be validated, documented, and tuned out so it does not recur
This is a false positive: the scanner inferred the vulnerability from a version banner without recognizing that a backported fix already addressed it, so the reported flaw does not actually exist. The analyst should validate the result, document the rationale, and tune or suppress the finding so the noise does not recur. Re-patching or invoking incident response would waste effort on a non-existent issue.
- Three vulnerabilities all have a CVSS base score of 9.0. One appears in the CISA Known Exploited Vulnerabilities (KEV) catalog and has a high EPSS probability. Under risk-based prioritization, how should the analyst rank it?
- Treat all three identically, because they share the same CVSS base score
- Remediate it first, because confirmed in-the-wild exploitation and high exploitation likelihood raise real-world risk above the others
- Defer it, because KEV listings indicate the vendor has already mitigated the flaw
- Rank it last, because EPSS scores override CVSS severity
Correct answer: Remediate it first, because confirmed in-the-wild exploitation and high exploitation likelihood raise real-world risk above the others
Risk-based prioritization remediates the KEV-listed, high-EPSS vulnerability first because confirmed in-the-wild exploitation (CISA KEV) and a high Exploit Prediction Scoring System probability indicate elevated real-world risk beyond what the shared CVSS base score alone shows. CVSS measures inherent severity; combining it with KEV evidence, EPSS likelihood, and asset criticality produces a more accurate ranking than CVSS by itself.
- What is the primary goal of patch management within a vulnerability management program?
- To monitor SIEM alerts for signs of active compromise
- To scan the network for open ports and running services
- To encrypt data at rest so it cannot be read if stolen
- To acquire, test, and deploy software updates in a controlled way so known vulnerabilities are remediated
Correct answer: To acquire, test, and deploy software updates in a controlled way so known vulnerabilities are remediated
Patch management's primary goal is to acquire, test, and deploy software updates in a controlled, documented process so that known vulnerabilities are remediated before attackers exploit them. Testing in a staging environment first helps avoid breaking production. Scanning for open ports, encrypting data, and monitoring SIEM alerts are separate security functions that do not, by themselves, close the underlying software flaws that patching addresses.
- A critical vulnerability is found on a legacy system that cannot be patched without breaking a required business application. Which response is the best example of a compensating control?
- Accepting the risk and taking no further action
- Applying the vendor patch immediately despite the application breaking
- Removing the system from the asset inventory so it stops appearing in scans
- Isolating the system on a restricted VLAN with strict firewall rules and enhanced monitoring until it can be replaced
Correct answer: Isolating the system on a restricted VLAN with strict firewall rules and enhanced monitoring until it can be replaced
Isolating the system on a restricted VLAN with strict firewall rules and enhanced monitoring is a compensating control: an alternative safeguard that reduces risk when the primary fix (patching) cannot be applied. Other examples include network segmentation, virtual patching via a WAF or IPS, and tightened access controls. Applying a patch that breaks the business app, ignoring the risk, or hiding the asset from scans do not actually reduce exposure.
- A web application accepts a username field and passes it directly into a database query. An attacker enters input that closes the intended query and appends their own statement, returning all rows from the users table. What attack is this, and what is the best prevention?
- SQL injection, best prevented with parameterized queries and input validation
- A buffer overflow, best prevented with stack canaries
- Privilege escalation, best prevented with least-privilege accounts
- Cross-site scripting, best prevented with output encoding in the browser
Correct answer: SQL injection, best prevented with parameterized queries and input validation
This is SQL injection: untrusted input is concatenated into a database query so the attacker can alter the query's logic and read or modify data. The strongest prevention is parameterized queries (prepared statements) that separate code from data, combined with input validation and least-privilege database accounts. Output encoding defends against cross-site scripting in the browser, not against injection into the database.
- An analyst reviews web server logs and sees repeated requests containing strings like ' OR '1'='1, UNION SELECT, and a comment marker after the input. What does this pattern most likely indicate?
- A privilege escalation attempt against the operating system
- Normal traffic from a vulnerability scanner agent
- Attempts to detect or exploit SQL injection in the application
- A cross-site scripting payload targeting site visitors
Correct answer: Attempts to detect or exploit SQL injection in the application
Strings such as ' OR '1'='1, UNION SELECT, and trailing comment markers in request parameters are classic indicators of SQL injection probing, where the attacker tries to break out of the intended query. Detecting SQL injection often combines log analysis for these tautology and UNION patterns with WAF signatures and source-code review. Cross-site scripting payloads instead contain script tags or event handlers aimed at the browser.
- What is cross-site scripting (XSS)?
- An attack that intercepts traffic between two parties on a network
- An attack that injects SQL commands into a backend database query
- An attack that floods a server with traffic to exhaust its resources
- An attack that injects malicious scripts into web pages so they execute in other users' browsers
Correct answer: An attack that injects malicious scripts into web pages so they execute in other users' browsers
Cross-site scripting (XSS) injects malicious scripts into web pages so they execute in the browsers of other users who view the page, allowing session theft, defacement, or redirection. It targets the client/browser rather than the backend database, which is what SQL injection does. Proper output encoding and a content security policy are primary defenses against XSS.
- An analyst is categorizing XSS findings. Which set correctly names the main types of cross-site scripting?
- Network, adjacent, local, and physical
- Stored (persistent), reflected, and DOM-based
- Active, passive, and credentialed
- Stack-based, heap-based, and integer overflow
Correct answer: Stored (persistent), reflected, and DOM-based
The main XSS attack types are stored (persistent), where the script is saved on the server and served to many users; reflected, where the script is echoed back from a single crafted request; and DOM-based, where client-side JavaScript writes attacker input into the page without proper handling. The network/adjacent/local/physical values describe a CVSS attack vector, not XSS, and stack/heap overflows are memory-corruption flaws.
- During analysis, an attacker who gained access as a standard user exploits a misconfigured service to gain SYSTEM-level rights. What is this technique called?
- Privilege escalation
- Lateral movement
- Reconnaissance
- Data exfiltration
Correct answer: Privilege escalation
Gaining higher rights than originally granted, such as moving from a standard user to SYSTEM or root, is privilege escalation. Vertical escalation increases the privilege level, while horizontal escalation accesses another account at the same level. Lateral movement instead pivots between systems, and exfiltration is the theft of data, neither of which describes elevating one's own permissions on a host.
- A researcher discovers a flaw in a vendor's product and privately notifies the vendor, agreeing to withhold public details until a patch is released. What practice is this?
- Zero-day brokering
- Responsible (coordinated) disclosure
- Full disclosure
- Black-box testing
Correct answer: Responsible (coordinated) disclosure
Responsible disclosure, also called coordinated vulnerability disclosure, is when a researcher privately reports a flaw to the vendor and gives them time to develop and release a fix before details are made public, often within an agreed window such as 90 days. Full disclosure releases all details immediately regardless of patch status, which can pressure vendors but exposes users to risk in the interim.
- An analyst is documenting an intrusion and wants to capture, for a single malicious event, the actor behind it, the tooling used, the systems that delivered the attack, and the targeted organization. Which analytical model is built around exactly these four core features?
- The Lockheed Martin Cyber Kill Chain
- The STRIDE threat-modeling framework
- The Diamond Model of Intrusion Analysis
- The OWASP Threat Dragon model
Correct answer: The Diamond Model of Intrusion Analysis
The Diamond Model of Intrusion Analysis is correct because it defines every intrusion event by exactly four core features: adversary, capability, infrastructure, and victim, connected by the relationships among them. The Cyber Kill Chain instead describes the sequential stages an attack moves through (reconnaissance to actions on objectives) rather than these four atomic features, and STRIDE is a threat-categorization model used during design, not intrusion analysis.
- A SOC manager explains that the team maintains two kinds of documents: a high-level document describing the overall workflow and decision points for handling a phishing incident, and a separate set of precise step-by-step instructions for the specific commands an analyst runs to pull email headers and quarantine a mailbox. Which pairing correctly matches these descriptions?
- The high-level workflow is the runbook; the step-by-step instructions are the playbook
- Both documents are playbooks because they describe phishing response
- The high-level workflow is the playbook; the step-by-step instructions are the runbook
- Both documents are runbooks because they automate response
Correct answer: The high-level workflow is the playbook; the step-by-step instructions are the runbook
A playbook is the high-level workflow describing the strategy and decision points for handling a category of incident, while a runbook is the detailed, often automatable set of specific steps and commands used to execute parts of that response. Reversing the two is the common trap: the runbook is the granular operational procedure, not the strategic overview.
- A first responder arrives at a compromised but still-powered server and must collect evidence in the correct order of volatility per RFC 3227. Which source should be captured first?
- Archived backup tapes for the server
- The physical network topology diagram
- Files stored on the system's hard disk
- The contents of CPU registers and cache
Correct answer: The contents of CPU registers and cache
The contents of CPU registers and cache are captured first because the order of volatility directs responders to collect from most volatile to least volatile, and register/cache contents change in nanoseconds and vanish on power loss. Disk files, archival media, and network topology are far less volatile and are collected later, since they survive power cycling.
- After a ransomware outage, an executive asks an analyst to distinguish two planning efforts: one focused on keeping critical business functions operating during a disruption, and another focused specifically on restoring IT systems and data after they have failed. Which mapping is correct?
- Disaster recovery keeps critical functions running during disruption; business continuity restores IT systems afterward
- Both terms describe the same plan to back up data nightly
- Business continuity keeps critical functions running during disruption; disaster recovery restores IT systems and data afterward
- Business continuity applies only to natural disasters, disaster recovery only to cyberattacks
Correct answer: Business continuity keeps critical functions running during disruption; disaster recovery restores IT systems and data afterward
Business continuity focuses on keeping the organization's critical functions operating throughout a disruption, while disaster recovery is the narrower, IT-centric effort of restoring systems and data after failure. Disaster recovery is generally considered a subset supporting the broader continuity goal, and neither is limited to a specific cause such as natural disasters versus cyberattacks.
- While mapping observed adversary behavior in MITRE ATT&CK, an analyst notes the attacker's goal was credential access, achieved specifically through brute forcing a login. In ATT&CK terminology, how do these two elements relate?
- Brute force is the tactic; credential access is the technique used to achieve it
- Both are techniques that belong to different tactics
- Credential access is a sub-technique of the brute force technique
- Credential access is the tactic (the why); brute force is the technique (the how)
Correct answer: Credential access is the tactic (the why); brute force is the technique (the how)
In MITRE ATT&CK, credential access is the tactic representing the adversary's objective or the why, and brute force is the technique representing the how, the specific method used to achieve that objective. ATT&CK organizes behavior as tactics (goals) populated by techniques and sub-techniques (methods), so the goal is never a technique nested under a method.
- A SOC manager reports that the team's mean time to respond (MTTR) dropped from 9 hours to 4 hours last quarter. What does this metric actually measure?
- The average time the team spends documenting an incident after recovery
- The average number of incidents the team handles in a single shift
- The average time a threat actor remains undetected inside the environment
- The average elapsed time from when an incident or vulnerability is detected to when it is contained or remediated
Correct answer: The average elapsed time from when an incident or vulnerability is detected to when it is contained or remediated
Mean time to respond (MTTR) measures the average elapsed time from detection of an incident or vulnerability to its containment or remediation, so a drop from 9 to 4 hours means the team is resolving issues faster. It begins at detection, which is why the time an attacker stays undetected belongs to mean time to detect (MTTD), not MTTR. A falling MTTR is a positive trend that demonstrates improving response efficiency to leadership.
- Which security metric specifically captures how long a vulnerability or threat exists in the environment before the security team becomes aware of it?
- Mean time to recovery
- Mean time to detect (MTTD)
- Mean time between failures (MTBF)
- Mean time to respond (MTTR)
Correct answer: Mean time to detect (MTTD)
Mean time to detect (MTTD) measures the average time a vulnerability or threat is present before the team discovers it, making it a direct indicator of monitoring and scanning effectiveness. Continuous scanning and well-tuned SIEM alerting lower MTTD, while infrequent periodic scans raise it. Mean time to respond (MTTR) is a different metric that starts only after detection, covering the work of containment and remediation.
- A compliance officer asks the analyst to produce a compliance report ahead of an upcoming PCI DSS assessment. What is the primary purpose of such a report?
- To provide a step-by-step runbook for responding to a ransomware outbreak
- To record the chain of custody for digital evidence collected during an incident
- To list every open vulnerability ranked by CVSS base score for the engineering team
- To demonstrate and document that the organization's controls satisfy a specific regulation, standard, or framework
Correct answer: To demonstrate and document that the organization's controls satisfy a specific regulation, standard, or framework
A compliance report demonstrates and documents that the organization's security controls meet the requirements of a specific regulation, standard, or framework such as PCI DSS, HIPAA, or GDPR. Its audience is auditors, regulators, and governance stakeholders, and it maps controls to required criteria rather than simply listing technical findings. A raw CVSS-ranked vulnerability list serves remediation teams, not auditors, so it is a different deliverable.
- An incident response lead is asked to reduce the organization's mean time to respond. Which improvement would most directly lower this metric?
- Lengthening log retention from 90 days to one year
- Adding more fields to the post-incident lessons-learned template
- Increasing the frequency of authenticated vulnerability scans across all subnets
- Pre-building and rehearsing incident response playbooks so containment actions begin immediately on detection
Correct answer: Pre-building and rehearsing incident response playbooks so containment actions begin immediately on detection
Pre-building and rehearsing incident response playbooks most directly lowers mean time to respond (MTTR) because predefined, practiced containment steps shorten the gap between detection and resolution. MTTR is measured from detection onward, so faster, well-drilled response actions move the metric down. More frequent scanning improves mean time to detect (MTTD), a separate metric measured before detection, and longer log retention aids investigation depth without inherently speeding response.
- A CISO wants a small set of standardized measurements to track the health of the vulnerability management program over time. Which set best represents appropriate vulnerability management metrics?
- Help-desk ticket satisfaction scores and average call-handling time
- Mean time to remediate, percentage of critical findings patched within SLA, and count of recurring (reopened) vulnerabilities
- Quarterly revenue growth and customer churn rate
- Number of marketing emails sent and website uptime percentage
Correct answer: Mean time to remediate, percentage of critical findings patched within SLA, and count of recurring (reopened) vulnerabilities
Mean time to remediate, percentage of critical findings patched within SLA, and the count of recurring or reopened vulnerabilities are standard vulnerability management metrics because they quantify how quickly and how completely the program reduces risk. These measurements let leadership track trends and prove control effectiveness over time. Revenue, churn, and help-desk satisfaction are business or support metrics that do not measure the vulnerability program's performance.
- After completing a scan, an analyst compiles findings into a vulnerability report for the asset owners. What is the core purpose of a vulnerability report?
- To certify that the organization has zero remaining security weaknesses
- To formally notify law enforcement that a crime has occurred
- To document identified weaknesses, their severity, affected assets, and recommended remediation so owners can prioritize fixes
- To serve as legally admissible evidence in a courtroom proceeding
Correct answer: To document identified weaknesses, their severity, affected assets, and recommended remediation so owners can prioritize fixes
A vulnerability report documents the weaknesses found, their severity, the affected assets, and recommended remediation actions so that asset owners can prioritize and fix them. It communicates risk and drives remediation decisions rather than certifying that no weaknesses remain, which is never a realistic claim. Legal evidence handling and law-enforcement notification belong to incident response and forensics processes, not to a routine vulnerability report.
- A critical patch is available for a manufacturing control server, but applying it would force a production line shutdown that the business will not authorize. In a vulnerability report, how should the analyst categorize this barrier?
- An inhibitor to remediation
- A compensating control already in place
- A key performance indicator
- A false positive in the scan output
Correct answer: An inhibitor to remediation
This is an inhibitor to remediation: a business or technical constraint that prevents or delays applying a fix, with business process interruption being the specific inhibitor here. CySA+ groups inhibitors to include MOUs, SLAs, organizational governance, business process interruption, degrading functionality, legacy systems, and proprietary systems. It is not a false positive because the vulnerability is real, and it is not a compensating control because no alternative safeguard has yet been applied.
- Which of the following is the best example of a key performance indicator (KPI) for a vulnerability management program, as opposed to a key risk indicator?
- The percentage of high and critical vulnerabilities remediated within the defined SLA window
- The projected likelihood that an attacker exploits an unpatched system
- The estimated financial loss if a critical server is breached
- The number of newly disclosed zero-day vulnerabilities published industry-wide this month
Correct answer: The percentage of high and critical vulnerabilities remediated within the defined SLA window
The percentage of high and critical vulnerabilities remediated within the defined SLA window is a key performance indicator (KPI) because it measures how well the program is performing against a target. KPIs gauge operational performance, whereas key risk indicators (KRIs) such as estimated loss or exploit likelihood forecast exposure to risk. Counting industry-wide zero-days is external threat data, not a measure of this team's performance.
- An analyst must brief both the board of directors and the system engineering team about the same newly discovered critical vulnerability. Which approach reflects sound stakeholder communication?
- Tailor the message: business impact and risk for the board, and technical findings with remediation steps for the engineers
- Withhold information from the board until the vulnerability is fully remediated
- Communicate only verbally so that no written record of the vulnerability exists
- Send both audiences the identical raw scanner output with full packet-level detail
Correct answer: Tailor the message: business impact and risk for the board, and technical findings with remediation steps for the engineers
Sound stakeholder communication tailors the message to the audience: executives need business impact, risk, and required decisions, while engineers need technical detail and concrete remediation steps. Sending identical raw scanner output to both fails the non-technical audience, and withholding information from leadership undermines informed risk decisions. Avoiding written records would also break accountability and compliance requirements.
- A vulnerability management policy states that critical findings must be remediated within 7 days and high findings within 30 days. What is this type of agreement called in a cybersecurity context?
- A service-level agreement (SLA)
- A memorandum of understanding (MOU)
- A compensating control
- A chain of custody
Correct answer: A service-level agreement (SLA)
A service-level agreement (SLA) defines the agreed performance targets, such as remediating critical vulnerabilities within 7 days and high within 30 days, and holds teams accountable to those timelines. SLAs make metrics like percentage-patched-within-SLA measurable. A memorandum of understanding states broad intent between parties without enforceable service targets, and a chain of custody documents evidence handling, so neither fits a remediation-timeline commitment.
- A monthly vulnerability report shows that the same critical finding on a single host has been reported, marked remediated, and then reappeared in each of the last three scans. Which reporting element most accurately captures this pattern, and what does it signal?
- A compensating control, signaling the risk has been formally accepted
- A recurring (reopened) vulnerability, signaling that the fix is not persisting or is being reverted
- A false negative, signaling the scanner missed the vulnerability entirely
- A zero-day, signaling no patch exists for the flaw
Correct answer: A recurring (reopened) vulnerability, signaling that the fix is not persisting or is being reverted
This is a recurring or reopened vulnerability, which signals that the applied fix is not persisting, perhaps because configuration drift, an image rebuild, or a reverted change keeps reintroducing the flaw. Tracking recurrence is a useful vulnerability management metric because a high reopen rate points to a broken remediation process rather than a new discovery. It is not a false negative, since the scanner is detecting the flaw, nor a zero-day, since a fix clearly exists.