CompTIA Cybersecurity Analyst (CySA+) Certification – Domain 1.0 Security Operations Pract, Exams of Cybercrime, Cybersecurity and Data Privacy

CompTIA Cybersecurity Analyst (CySA+) Certification – Domain 1.0 Security Operations Practice EXAM 2026-2027 LATEST UPDATED VERSION QUESTIONS AND ANSWERS.pdf

Typology: Exams

2025/2026

Available from 06/06/2026

denis-kinyua-3
denis-kinyua-3 🇿🇦

1

(2)

3.9K documents

1 / 46

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
-
CompTIA Cybersecurity Analyst (CySA+) Certification
Domain 1.0 Security Operations Practice EXAM 2026-2027
LATEST UPDATED VERSION QUESTIONS AND ANSWERS
After running a vulnerability scan of systems in his organization's development shop, Mike discovers a critical
EOL/Obsolete Software Microsoft .NET Framework 4 - 4.5.1 vulnerability. What is the best solution to this
vulnerability?
A. Apply the required security patches.
B. Remove this framework from the affected systems.
C. Upgrade the OS of the affected systems.
D. No action is necessary.
B.
The vulnerability description indicates that this software has reached its end -of-life (EOL) and, therefore, is no
longer supported by Microsoft. Mike's best solution is to remove this version of the framework from the affected
systems.
Brian is configuring a vulnerability scan of all servers in his organization's datacenter. He is configuring the scan to
only detect the highest-severity vulnerabilities. He would like to empower system admins to correct issues on
their servers but also have some insight into the status of those remediations. Which approach would best serve
Brian's interests?
A. Give the admins access to view the scans in the vulnerability scanning system.
B. Send email alerts to admins when the scans detect a new vulnerability on their servers.
C. Configure the vulnerability scanner to open a trouble ticket when they detect a new vulnerability on a server.
D. Configure the scanner to send reports to Brian who can notify admins and track them in a spreadsheet.
C.
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e

Partial preview of the text

Download CompTIA Cybersecurity Analyst (CySA+) Certification – Domain 1.0 Security Operations Pract and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!

CompTIA Cybersecurity Analyst (CySA+) Certification –

Domain 1.0 Security Operations Practice EXAM 2026-

LATEST UPDATED VERSION QUESTIONS AND ANSWERS

After running a vulnerability scan of systems in his organization's development shop, Mike discovers a critical EOL/Obsolete Software Microsoft .NET Framework 4 - 4.5.1 vulnerability. What is the best solution to this vulnerability?

A. Apply the required security patches. B. Remove this framework from the affected systems. C. Upgrade the OS of the affected systems. D. No action is necessary. B.

The vulnerability description indicates that this software has reached its end-of-life (EOL) and, therefore, is no longer supported by Microsoft. Mike's best solution is to remove this version of the framework from the affected systems.

Brian is configuring a vulnerability scan of all servers in his organization's datacenter. He is configuring the scan to only detect the highest-severity vulnerabilities. He would like to empower system admins to correct issues on their servers but also have some insight into the status of those remediations. Which approach would best serve Brian's interests?

A. Give the admins access to view the scans in the vulnerability scanning system. B. Send email alerts to admins when the scans detect a new vulnerability on their servers. C. Configure the vulnerability scanner to open a trouble ticket when they detect a new vulnerability on a server. D. Configure the scanner to send reports to Brian who can notify admins and track them in a spreadsheet. C.

The best path for Brian to follow would be to leverage the organization's existing trouble ticket system.

Xiu is configuring a new vulnerability scanner for use in her organization's datacenter. Which one of the following values is considered a best practice for the scanner's update frequency?

A. Daily B. Weekly C. Monthly D. Quarterly A.

Vulnerability scanners should be updated as often as possible to allow the scanner to retrieve new vulnerability signatures as soon as they are released.

Bed was recently assigned by his manager to begin the remediation work on the most vulnerable server in his organization. What remediation action should Ben take first?

A. Install patches for Adobe Flash B. Install patches for Firefox C. Run Windows Update D. Remove obsolete software C.

The best starting point would be to run Windows Update to install operating system patches. Many of the critical vulnerabilities relate to missing Windows patches that may be remotely exploited with no user action.

Kylie reviewed the vulnerability scan report for a web server and found that it has multiple SQL injection and cross-site scripting vulnerabilities. What would be the least difficult way for Kylie to address these issues?

A. Install a web application firewall. B. Recode the web application to include input validation. C. Apply security patches to the server operating system. D. Apply security patches to the web server service. A.

Applying patches to the server will not correct SQL injection or cross-site scripting flaws, since these reside within the web applications themselves. Kylie could correct the root cause by recoding the web applications to use input validation, but this is more difficult. A web application firewall would provide immediate protection with lower effort.

Ann would like to improve her organization's ability to detect and remediate security vulnerabilities by adopting a continuous monitoring approach. Which one of the following is not a characteristic of a continuous monitoring program?

A. Analyzing and reporting findings B. Conducting forensic investigations when a vulnerability is exploited C. Mitigating the risk associated with findings D. Transferring the risk associated with a finding to a third party B.

Analyzing and reporting findings to management is one of the core tasks of a continuous monitoring program. Another core task is responding to findings by mitigating, accepting, transferring, or avoiding risks. Continuous

monitoring programs are not tasked with performing forensic investigations, as this is an incident response process.

Holly ran a scan of a server in her datacenter and the most serious result was a medium level phpinfo Information Disclosure vulnerability. What action is most commonly taken to remediate this vulnerability?

A. Remove the file from the server. B. Edit the file to limit information disclosure. C. Password protect the file. D. Limit file access to a specific IP range. A.

The phpinfo file is a testing file often used by web developers during the initial configuration of a server. although any of the solutions provided here may remediate this vulnerability, the most common course of action is to simply remove this file before the server is moved into production or made publicly accessible.

Vincent is a security manager for a U.S. federal government agency subject to FISMA. Which one of the following is not a requirement that he must follow for his vulnerability scans to maintain FISMA compliance?

A. Run complete scans on at least a monthly basis. B. use tools that facilitate interoperability and automation. C. Remediate legitimate vulnerabilities. D. Share information from the vulnerability scanning process. A.

FISMA does not contain any specific requirements regarding the frequency of the scans. It merely states that agencies must conduct scans of informational systems and hosted applications when new vulnerabilities potentially affecting the system/application are identified and reported.

How can a SSL Certificate Signed Using Weak Hashing Algorithm vulnerability be corrected?

A. Reconfigure the VPN server to only use secure hash functions. B. Request a new certificate. C. Change the domain name of the server. D. Implement an intrusion prevention system. B.

This error is a vulnerability in the certificate itself and may be corrected only by requesting a new certificate from the certificate authority (CA) that uses a secure hash algorithm in the certificate signature.

Meredith is configuring a vulnerability scan and would like to configure the scanner to perform credentialed scans. Which option will allow her to directly configure this capability?

A. Manage discovery scans B. Configure scan settings C. Configure search lists D. Set Up Host Authentication D.

Credentialed scans are also known as authenticated scans and rely on having credentials to log on to target hosts and read their configuration settings.

Meredith recently ran a vulnerability scan on her organization's accounting network segment and found a critical level Adobe Flash Player Remote Code Execution vulnerability. What would be the most effective way for Meredith to resolve this vulnerability?

A. Remove Flash Player from the workstations. B. Apply the security patches described in the Adobe bulletin. C. Configure the network firewall to block unsolicited inbound access to these workstations. D. Install an intrusion detection system on the network. A.

The security and web development communities both consider Adobe Flash an outdated and insecure technology. The best solution would be for Meredith to remove this software from systems in her organization.

Sara's organization has a well-managed test environment. What is the most likely issue that Sara will face when attempting to evaluate the impact of a vulnerability remediation by first deploying it in the test environment?

A. Test systems are not available for all production systems. B. Production system require a different type of patch than test systems. C. Significant configuration differences exist between test and production systems. D. Test systems are running different operating systems than production systems. A.

In a well-managed test environment, the test systems should be configured in a near-identical manner to production systems. They should be running the same operating systems and require the same patches. However, in almost every organization, there are systems running in production that do not have mirror deployments in test environments because of cost, legacy system issues, and other reasons.C.

Chang is responsible for managing his organization's vulnerability scanning programs. He is experiencing issues with scans aborting because the previous day's scans are still running when the scanner attempts to start the current day's scans. Which one of the following solutions is least likely to resolve Chang's issue?

C. A broadband router D. A print server B.

Since Cassandra is scanning a wireless network and the system is using an IP address that is commonly used for commodity wireless routers, her best guess should be that this is a wireless router that can be accessed via SSH and that is providing a web management interface and print services.

Latisha has local access to a Windows workstation and wants to gather information about the organization that it belongs to. What type of information can she gain if she executes the command nbtstat -c?

A. MAC addresses and IP addresses of local systems B. NetBIOS name-to-IP address mappings C. A list of all NetBIOS systems that the host is connected to D. NetBIOS MAC-to-IP address mappings B.

The command nbtstat -c shows the contents of the NetBIOS name cache and shows a list of name-to-IP address mappings.

Marta is a security analyst who has been tasked with performing nmap scans of her organization's network. She is a new hire and has been given this logical diagram of the organization's network but has not been provided with any additional detail. Marta wants to determine what IP addresses to scan from location A. How can she find this information?

A. Scan the organization's web server and then scan the other 255 IP addresses in its subnet. B. Query DNS and WHOIS to find her organization's registered hosts. C. Contact ICANN to request the data.

D. Use traceroute to identify the network that the organization's domain resides in. B.

Marta's best option from this list is to query DNS using WHOIS. She might also choose to use a BGP looking glass, but most of the information she will need will be in WHOIS. If she simply scans the network the web server is in, she may end up scanning a third-party hosting provider, or other systems that aren't owned by her organization in the /24 subnet range. Contacting ICANN isn't necessary with access to WHOIS, and depending on what country Marta is in, ICANN may not have the data she wants. Finally, using traceroute will only show the IP address of the system she queries; she needs more data to perform a useful scan in most instances.

Marta wants to perform regular scans of the entire organizational network but only has a budget that supports buying hardware for a single scanner. Where should she place her scanner to have the most visibility and impact?

A. Location A B. Location B C. Location C D. Location D B.

Marta will see the most important information about her organization at location B, which provides a view of datacenter servers behind the datacenter firewall. To get more information, she should request that the client network firewall ruleset include a rule allowing her scanner to scan through the firewall to all ports for all systems on all protocols.

Fred's reconnaissance of an organization includes a search of the Censys network search engine. There, he discovers multiple certificates with validity dates as shown here:

Validity: 2018-07-07 00:00:00 to 2019-08-11 23:59:59 (400 days, 23:59:59)

from queried DNS, it did not receive a response, indicating that the system does not have a DNS entry (or at least, it doesn't have one that is available to the host that did the scan and ran the Wireshark capture).

Stella is analyzing the results of a vulnerability scan and comes across the vulnerability shown here on a server in her organization. The SharePoint service in question processes all of the organization's work orders and is a critical part of the routing business workflow. What is the best way that Stella can correct this vulnerability?

A. Deploy an intrusion prevention system. B. Apply one or more application patches. C. Apply one or more operating system patches. D. Disable the service. B.

The vulnerability report indicates that SharePoint application patches are available to correct the vulnerability on a variety of versions of SharePoint. This should be Stella's first course of action since it will correct the underlying issue. Deploying an intrusion prevention system may also prevent attackers from exploiting the vulnerability, but it will depend on the positioning of the IPS and the attacker's location on the network and will not correct the underlying issue. There is no indication that an operating system patch will correct the issue. Disabling the service will prevent an attacker from exploiting the vulnerability but will also disable the business-critical service.

Laura is working to upgrade her organization's vulnerability management program. She would like to add technology that is capable of retrieving the configurations of systems, even when they are highly secured. Many systems use local authentication, and she wants to avoid the burden of maintaining accounts on all of those systems. What technology should Laura consider to meet her requirements?

A. Credentialed scanning B. Uncredentialed scanning C. Server-based scanning

D. Agent-based scanning D.

Laura should consider deploying vulnerability scanning agents on the servers she wants to scan. These agents can retrieve configuration information and send it to the scanner for analysis. Credentialed scanning would also be able to retrieve this information, but it would require that Laura manage accounts on each scanned system. Server-based scanning would not be capable of retrieving configuration information from the host unless run in credentialed mode. Uncredentialed scan would not have the access required to retrieve detailed configuration information from scan targets.

Ryan ran a vulnerability scan of one of his organization's production systems and received the report shown here. He would like to understand this vulnerability better and then remediate the issue. Which one of the following actions could Ryan take to remediate the underlying issue without disrupting business activity?

A. Disable the IIS service. B. Apply a security patch. C. Modify the web application. D. Apply IPS rules. B.

Applying a security patch would correct the issue on this server. The fact that the header for this vulnerability includes a Microsoft security bulletin ID indicates that Microsoft likely released a patch. Disabling the IIS service would disrupt business activity on the server. Modifying web application would not likely address this issue as the report indicates that it is an issue with the underlying IIS server and not a specific web application. IPS rules may prevent an attacker from exploiting the vulnerability, but they would not correct the underlying issue.

Ryan ran a vulnerability scan of one of his organization's production systems and received the report shown here. He would like to understand this vulnerability better and then remediate the issue. If an attacker is able to exploit this vulnerability, what is the probable result that will have the highest impact on the organization?

B. Web application information disclosure C. Web server uses basic authentication without HTTPS D. Web server directory enumeration A.

The SQL injection attack could be quite serious, since it may allow an attacker to retrieve and/or modify information stored in the backend database. The second highest priority should be resolving the use of unencrypted authentication, because it may allow the theft of user credentials. The remaining two vulnerabilities are less serious, because they only pose a reconnaissance risk.

Carla is designing a vulnerability scanning workflow and has been tasked with selecting the person responsible for remediating vulnerabilities. Which one of the following people would normally be in the best position to remediate a server vulnerability?

A. Cybersecurity analyst

B. System administrator

C. Network Engineer

D. IT manager

B.

System administrators are normally in the best position to remediate vulnerabilities because they are responsible for maintaining the server configuration. Network engineers, security analysts, and managers may provide input, but they often lack either the privileges or knowledge to successfully remediate a server.

Haruto is reviewing the results of a vulnerability scan, shown here, from a web server in his organization. Access to this server is restricted at the firewall so that it may not be accessed on port 80 or 443. Which of the following vulnerabilities should Haruto still address?

A. OpenSSL version B. Cookie information disclosure C. TRACK/TRACE methods D. Haruto does not need to address any of these vulnerabilities because they are not exposed to the outside world. A. From the information given, you can conclude that all of the HTTP/HTTPS vulnerabilities are not exploitable by an attacker because of firewall restrictions. However, OpenSSL is an encryption package used for other services, in addition to HTTPS. Therefore, it may still be exposed via SSH or other means. Haruto should replace it with a current, supported version because running an EOL version of this package exposes the organization to potentially unpatchable security vulnerabilities.

Which one of the following approaches provides the most current and accurate information about vulnerabilities present on a system because of the misconfiguration of operating system settings?

A. On-demand vulnerability scanning B. Continuous vulnerability scanning C. Scheduled vulnerability scanning D. Agent-based monitoring D.

Vulnerability scans can only provide a snapshot in time of a system's security status from the perspective of the vulnerability scanner. Agent-based monitoring provides a detailed view of the system's configuration from an internal perspective and is likely to provide more accurate results regardless of the frequency of vulnerability scanning.

Donna is working with a system engineer who wants to remediate vulnerabilities in a server that he manages. Which report template would be most useful to the engineer?

A. Qualys Top 20 Report B. PCI Technical Report C. Executive Report D. Technical Report D.

The technical report will contain detailed information on a specific host and is designed for an engineer seeking to remediate the system. The PCI Technical report would focus on credit card compliance issues, and there is no indication that this server is used for credit card processing. The Qualys Top 20 Report and Executive Report would contain summary information more appropriate for a management audience and cover an entire network, rather than provide detailed information on a single system.

Abdul received a high-level Unauthenticated Access to FTP Server Allowed vulnerability alert for a server in his organization. The server runs a legacy application that cannot easily be updated. What risks does this vulnerability present?

A. Unauthorized access to files stored on the server B. Theft of credentials C. Eavesdropping on communications D. All of the above D.

The use of FTP is not considered a good security practice. Unless tunneled through a secure protocol, FTP is unencrypted, allowing an attacker to eavesdrop on communications and steal credentials that may be transmitted over FTP links. Additionally, this vulnerability indicates that an attacker can gain access to the server without even providing valid credentials.

William is preparing a legal agreement for his organization to purchase services from a vendor. He would like to document the requirements for system availability, including the vendor's allowable downtime for patching. What type of agreement should William use to incorporate this requirement?

A. MOU B. SLA C. BPA D. BIA B.

Service level agreements (SLAs) specify the technical parameters of a vendor relationship and should include coverage of service availability as well as remedies for failure to meet the agreed-on targets. Memorandums of understanding (MOUs) are less formal documents that outline the relationship between two organizations. Business partnership agreements (BPAs) typically cover business, rather than technical issues, and would not normally include availability commitments. Business impact assessments (BIAs) are risk assessments and are not legal agreements.

Given no other information, which one of the following vulnerabilities would you consider the greatest threat to information confidentiality?

A. HTTP TRACE/TRACK methods enabled B. SSL Server with SSL v3 enabled C. phpinfo information disclosure D. Web application SQL injection D.