

































Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
CompTIA Cybersecurity Analyst (CySA+) Certification – Domain 1.0 Security Operations Practice COMPLETE EXAM LATEST VERSION 2026-2027 QUESTIONS AND ANSWERS.pdf
Typology: Exams
1 / 41
This page cannot be seen from the preview
Don't miss anything!


































Holly ran a scan of a server in her datacenter and the most serious result was a moderate-level phpinfo Information Disclosure vulnerability. What action is most commonly taken to remediate this?
A. Remove the file from the server. B. Edit the file to limit information disclosure. C. Password protect the file. D. Limit file access to a specific IP range. A.
The phpinfo file is a testing file often used by web developers during the initial configuration of a server. Although any of the solutions provided here may remediate this vulnerability, the most common course of action is to simply remove this file before the server is moved into production or made publicly accessible.
Arlene ran a vulnerability scan of a VPN server used by contractors and employees to gain access to her organization's network. An external scan of the server found a moderate-level SSL Certificate Signed Using Weak Hashing Algorithm vulnerability. How can Arlene correct this vulnerability?
A. Reconfigure the VPN server to only use secure hash functions. B. Request a new certificate. C. Change the domain name of the server. D. Implement an intrusion prevention system. B.
This error is a vulnerability in the certificate itself and may be corrected only by requesting a new certificate from the certificate authority (CA) that uses a secure hash algorithm in the certificate signature.
Sara's organization has a well-managed test environment. What is the most likely issue that Sara will face when attempting to evaluate the impact of a vulnerability remediation by first deploying it in the test environment?
A. Test systems are not available for all production systems. B. Production systems require a different type of patch than test systems. C. Significant configuration differences exist between test and production systems. D. Test systems are running different operating systems than production systems. A.
In a well-managed test environment, the test systems should be configured in a near-identical manner to production systems. They should be running the same operating systems and require the same patches. However, in almost every organization, there are systems running in production that do not have mirror deployments in test environments because of cost, legacy system issues, and other reasons.
**********How many vulnerabilities listed in the report shown here are significant enough to warrant immediate remediation in a typical operating environment?
A. 22 B. 14 C. 5 D. 0 D.
The vulnerability scan of this server has fairly clean results. All of the vulnerabilities listed are severity 3 or lower. In most organizations, immediate remediation is required only for severity 4 or 5 vulnerabilities.
Trevor is working with an application team on the remediation of a critical SQL injection vulnerability in a publicfacing service. The team is concerned that deploying the fix will require several hours of downtime and that will block customer transactions from completing. What is the most reasonable course of action for Trevor to suggest?
Netcat, telnet, and wget can all be used to conduct banner-grabbing. FTP will not connect properly to get the banner he wants to see.
Alex wants to scan a protected network and has gained access to a system that is behind the network firewall which can communicate to both his scanning system and the internal network. What type of nmap scan should Alex conduct to leverage this host if he cannot install nmap on system A?
A. A reflection scan B. A proxy scan C. A randomized host scan D. a ping-through scan B.
nmap supports the use of both HTTP and SOCKS4 proxies, allowing Alex to configure the remote host as an HTTP proxy and bounce his scans through it. This can allow nmap users to leverage their scanning tools without installing them on a protected host or network.
Maddox is conducting an inventory of access permissions on cloud-based object buckets, such as those provided by the AWS S3 service. What threat is he seeking to mitigate?
A. Insecure APIs B. Improper key management C. Unprotected storage D. Insufficient logging and monitoring C.
Maddox's actions could identify improperly secured storage buckets that require remediation. While the other vulnerabilities may exist, they are not likely to be discovered during a permissions inventory.
Lucy recently detected a cross-site scripting vulnerability in her organization's web server. The organization operates a support forum where users can enter HTML tags and the resulting code is displayed to other site visitors. What type of cross-site scripting vulnerability did Lucy discover?
A. Persistent B. Reflected C. DOM-based D. Blind A.
This type of XSS vulnerability, where the attack is stored on a server for later users, is a persistent vulnerability. The scenario does not tell us that the code is immediately displayed to the user submitting it, so there is no indication of a reflected attack. The attack is stored on the server, rather than in the browser, so it is not a DOMbased attack. There is no such thing as blind XSS attacks.
Florian discovered a vulnerability in a proprietary application developed by his organization. The application performs memory management using the malloc() function and one area of memory allocated in this manner has an overflow vulnerability. What term best describes this overflow?
A. Buffer overflow B. Stack overflow C. Integer overflow D. Heap overflow D.
The malloc() function allocates memory from the heap, not the stack, and therefore this is a heap overflow attack. We do not have enough information to determine the type of information stored in this area of memory, so we cannot determine whether it is an integer overflow. The vulnerability may also be described as a buffer overflow, but this is more generic and less descriptive.
Helen is using the Lockheed Martin Cyber Kill Chain to analyze an attack that took place against her organization.
Kai has identified a privilege escalation flaw on the system she targeted in the first phase of her penetration test and is now ready to take the next step. According to the NIST 800-115 standard, what is step C that Kai needs to take?
Gaining Access -> Escalating Privileges -> C -> Install Additional Tools
A. System browsing B. Scanning C. Rooting D. Consolidation A.
Kai's next step is to prepare to pivot. To do so, she needs to browse for additional systems and to identify the methods she will use to access them. At times, this will move her back into the discovery phase.
While conducting a port scan of a remote system, Henry discovers TCP port 1433 open. What service can he typically expect to run on this port?
A. Oracle B. VNC C. IRC D. Microsoft SQL D.
Microsoft SQL typically runs on TCP ports 1433 and 1434. Oracle's default is 1521, IRC is 6667, and VNC is 5900.
Ian's company has an internal policy requiring that they perform regular port scans of all of their servers. Ian has been part of a recent effort to move his organization's servers to an infrastructure as a service (IaaS) provider. What change will Ian most likely need to make to his scanning efforts?
A. Change scanning software
B. Follow the service provider's scan policies C. Sign a security contract with the provider D. Discontinue port scanning B.
Most IaaS providers will allow their customers to perform security scans as long as they follow the rules and policies for such scans. Ian should review his vendor's security documentation and contact them for details if he has questions.
Lauren wants to identify all the printers on the subnets she is scanning with nmap. Which of the following nmap commands will not provide her with a list of likely printers?
A. nmap -sS -p 9100,515,631 10.0.10.15/22 -oX printers.txt B. nmap -O 10.0.10.15/22 -oG - | grep printer >> printers.txt C. nmap -sU -p 9100,515,631 10.0.10.15/22 -oX printers.txt D. nmap -sS -O 10.0.10.15/22 -oG | grep >> printers.txt C.
Using a UDP scan, as shown with the -sU flag, will not properly identify printers since print service ports are TCP ports.
Chris knows that systems have connected to a remote host on TCP ports 1433 and 1434. If he has no other data, what should his best guess be about what the host is?
A. A print server B. A Microsoft SQL server C. A MySQL server D. A secure web server running on an alternate port B.
2000/tcp open cisco-sccp? 3000/tcp open http Apache httpd 2.2.3 CentOS 6789/tcp open ibm-db2-admin?
A. The device is a Cisco device B. The device is running CentO C. The device was built by IBM D. None of the above D.
Casey knows that she saw three open ports and that nmap took its best guess at what was running on those ports. In this case, the system is actually a Kali Linux system. This is not a cisco device, it is not running CentOS, and it was not built by IBM.
Angela wants to gather detailed information about the hosts on a network passively. If she has access to a Wireshark PCAP file from the network, which of the following tools can she use to provide automated analysis of the file?
A. Ettercap B. NetworkMiner C. Sharkbait D. Dradis B.
Angela can use NetworkMiner, a tool that can analyze existing packet capture files to do OS identification and which identifies and marks images, files, credentials, sessions, DNS queries, parameters, and a variety of other details. Ettercap can perform passive TCP stack fingerprinting but is primarily a man-in-the-middle tool, dradis is an open source collaboration platform for security teams.
What occurs when Mia uses the following command to perform an nmap scan of a network?
nmap -sP 192.168.2.0/
A. A secure port scan of all hosts in the 192.168.0.0 to 192.168.2.255 network range B. A scan of all hosts that respond to ping in the 192.168.0.0 to 192.168.255.255 range C. A scan of all hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 range D. A SYN-based port scan of all hosts in the 192.168.2.0 to 192.168.2.255 network range C.
The -sP flag for nmap indicates a ping scan, and /24 indicates a range of 255 addresses. In this case, that means that nmap will scan for hosts that respond to ping in the 192.168.2.0 to 192.168.2.255 IP range.
Wang submits a suspected malware file to malwr.com and receives information about its behavior based on signatures. What kind of tool is malwr.com?
A. A reverse-engineering tool B. A static analysis sandbox C. A dynamic analysis sandbox D. A decompiler sandbox C.
Malwr.com shows a behavioral analysis of the executed code. Malwr is a dynamic analysis sandbox that runs the malware sample to determine what is does while also analyzing the file.
Vic scanned a Windows server used in his organization and found a moderate vulnerability where the admin account password does not expire. The server is on an internal network with access limited to IT staff and is not part of a domain. How urgently should Vic remediate this vulnerability?
A. Immediately B. Urgently when possible C. Scheduled at a convenient time D. Information in nature and may be left
Which one of the following actions could be taken to remediate the underlying issue of a Microsoft IIS Server XSS Elevation of Privilege vulnerability without disrupting business activity?
A. Disable the IIS service. B. Apply a security patch. C. Modify the web application. D. Apply IPS rules. B.
Applying a security patch would correct the issue on this server. The other choices would not correct the underlying issue or may disrupt business activity.
If an attacker is able to exploit a Microsoft IIS Server XSS Elevation of Privilege vulnerability, what is the probable result that will have the highest impact on the organization?
A. Administrative control of the server B. Complete control of the domain C. Access to configuration information D. Access to web application logs A.
Since this is an escalation of privilege vulnerability, it it likely that an attacker could gain complete control of the system.
Ted is configuring vulnerability scanning for a file server on his company's internal network. What types of vulnerability scan should Ted perform to balance the efficiency of scanning effort with expected results?
A. Ted should not perform scans of servers on the internal network. B. Ted should only perform internal vulnerability scans.
C. Ted should only perform external vulnerability scans. D. Ted should perform both internal and external vulnerability scans. B.
This server is located on an internal network and only has a private IP address. Therefore, the only scan that would provide any valid results is an internal scan. The external scanner would not be able to reach the file server through a valid IP address.
What action should be taken for a low criticality Web Server HTTP Trace/Track Method Support Cross-Site Tracing Vulnerability on a server that will be used for credit card processing?
A. Remediate the vulnerability when possible. B. Remediate the vulnerability prior to moving the system into production and rerun the scan to obtain a clean result. C. Remediate the vulnerability within 90 days of moving the system into production. D. No action is required. D.
Action does not need to be taken on this vulnerability because it has a severity rating of 2/5. PCI DSS only requires the remediation of vulnerabilities with at least a "high" rating.
What priority should be placed on remediating a low criticality NTP Information Disclosure vulnerability?
A. Immediate B. Urgently, but not immediate C. Within the next month D. No priority necessary D.
A. Web application vulnerability scan B. Database vulnerability scan C. Port scan D. Network vulnerability scan B.
There is no indication in the scenario that the server is running a database; in fact, the scenario indicates that the server is dedicated to running the Apache web service. Therefore, it is unlikely that a database vulnerability scan would yield any results.
Brent ran a vulnerability scan of several network infrastructure devices on his network and found a moderate Readable SNMP Information vulnerability. What is the extent of the impact that an attacker could have by exploiting this vulnerability directly?
A. Denial of service B. Theft of sensitive information C. Network eavesdropping D. Reconnaissance D.
This is a serious vulnerability because it exposes significant network configuration information to attackers and could be used to wage other attacks on the network. However, the direct impact is limited to reconnaissance of the network configuration information.
Yashvir runs the cybersecurity vulnerability management program for his organization. He sends a database admin a report of a missing database patch that corrects a high severity security issue. The DBA writes back to Yashvir that he has applied the patch. Yashvir reruns the scan, and it still reports the same vulnerability. What should he do next?
A. Mark the vulnerability as a false positive B. Ask the DBA to recheck the database
C. Mark the vulnerability as an exception D. Escalate the issue to the DBA's manager B.
In this case, Yashvir should ask the DBA to recheck the server to ensure that the patch was properly applied. It is not yet appropriate to mark the issue as a false positive until Yashvir performs a brief investigation to confirm the patch is applied properly. This is especially true because the vulnerability relates to a missing patch, which is not a common source of false positive reports.
Erik is reviewing the results of a vulnerability scan and comes across a low level X.509 Certificate MD5 Signature Collision Vulnerability. Which one of the following services is least likely to be affected by this vulnerability?
A. HTTPS B. HTTP C. SSH D. VPN B.
X.509 certificates are used to exchange public keys for encrypted communications. They are a fundamental part of SSL and TLS protocols, and an issue in an X.509 certificate may definitely effect HTTPS, SSH, and VPN communications that depend on public key cryptography. HTTP does not use encryption and would not be subject to this vulnerability.
Grace ran a vulnerability scan and detected an urgent vulnerability in a public-facing web server. This vulnerability is easily exploitable and could result in the complete compromise of the server. Grace wants to follow best practices regarding change control while also mitigating this threat as quickly as possible. What would be Grace's best course of action?
A. Initiate a high-priority change through her organization's change management process and wait for the change to be approved. B. Implement a fix immediately and document the change after the fact. C. Schedule a change for the next quarterly patch cycle. D. Initiate a standard change through her organization's change management process. B.
Wanda should restrict interactive logins to the server. The vulnerability report states that "That most severe of these vulnerabilities could allow remote code execution if a user either visits a specially crafted website or opens a specially crafted document." If Wanda restricts interactive login, it greatly reduces the likelihood of this type of activity.
Garrett is configuring vulnerability scanning for a new web server that his organization is deploying on its DMZ network. The server hosts the company's public website. What type of scanning should Garret configure for the best results?
A. Garrett should not perform scanning of DMZ systems. B. Garrett should perform external scanning only. C. Garrett should perform internal scanning only. D. Garrett should perform both internal and external scanning. D.
For best results, Garret should combine both internal and external vulnerability scans. The external scan provides an attacker's view of the web server, whereas the internal scan may uncover vulnerabilities that would only be exploitable by an insider or an attacker with local access.
James is configuring vulnerability scans of a dedicated network that his organization uses for processing credit card transactions. What types of scans are least important for James to include in his scanning program?
A. Scans from a dedicated scanner on the card processing network B. Scans from an external scanner on his organization's network C. Scans from an external scanner operated by an approved scanning vendor D. All three types of scans are equally important. D. All three of these scan types provide James with important information and/or are needed to meet regulatory requirements.
Tom's company is planning to begin a bring your own device (BYOD) policy for mobile devices. Which one of the following technologies allows the secure use of sensitive information on personally owned devices, including providing admins with the ability to wipe corporate information from the device without affecting personal data?
A. Remote wipe B. Strong passwords C. Biometric authentication D. Containerization D.
Although all of the technologies listed here contribute to the security of mobile devices, only containerization allows the isolation and protection of sensitive information separate from other uses of the device. Containerization technology creates a secure vault for corporate information that may be remotely wiped without affecting other uses of the device.
Chandra's organization recently upgraded the firewall protecting the network where they process credit card information. This network is subject to the provisions of PCI DSS. When is Chandra required to schedule the next vulnerability scan of this network?
A. Immediately B. Within one month C. Before the start of next month D. Before the end of the quarter following the upgrade A. PCI DSS requires that networks be scanned quarterly or after any "significant change in the network."
Thomas learned this morning of a critical security flaw that affects a major service used by his organization and requires immediate patching. This flaw was the subject of news reports and is being actively exploited. Thomas has a patch and informed stakeholders of the issue and received permission to apply the patch during business hours. How should he handle the change management process?