CompTIA Cybersecurity Analyst (CySA+) Certification – Domain 1.0 Security Operations Pract, Exams of Cybercrime, Cybersecurity and Data Privacy

CompTIA Cybersecurity Analyst (CySA+) Certification – Domain 1.0 Security Operations Practice EXAM LATEST 2026-2027 100 QUESTIONS AND 100% Verified ANSWERS.pdf

Typology: Exams

2025/2026

Available from 06/05/2026

denis-kinyua-2
denis-kinyua-2 🇳🇱

3.8

(12)

6.4K documents

1 / 46

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
-
CompTIA Cybersecurity Analyst (CySA+) Certification
Domain 1.0 Security Operations Practice EXAM LATEST 2026-
2027 100 QUESTIONS AND 100% Verified ANSWERS
Fred's reconnaissance of an organization includes a search of the Censys network search engine. There, he
discovers multiple certificates with validity dates as shown here:
Validity:
2018-07-07 00:00:00 to 2019-08-11 23:59:59 (400 days, 23:59:59)
2017-07-08 00:00:00 to 2019-08-12 23:59:59 (400 days, 23:59:59)
2018-07-11 00:00:00 to 2019-08-15 23:59:59 (400 days, 23:59:59)
What should Fred record in his reconnaissance notes?
A. The certificates expired as expected, showing proper business practice.
B. The certificates were expired by the CA, possibly due to nonpayment.
C. The system that hosts the certificates may have been compromised.
D. The CA may have been compromised, leading to certificate expiration.
A.
When an organization expires multiple certificates, it often indicates a security problem that resulted in a need to
invalidate the certificates. Fred should check for other information about a possible compromise near the dates
of expiration.
Ryan's passive reconnaissance efforts resulted in the following packet capture. Which of the following statements
cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4?
pf3
pf4
pf5
pf8
pf9
pfa
pfd
pfe
pff
pf12
pf13
pf14
pf15
pf16
pf17
pf18
pf19
pf1a
pf1b
pf1c
pf1d
pf1e
pf1f
pf20
pf21
pf22
pf23
pf24
pf25
pf26
pf27
pf28
pf29
pf2a
pf2b
pf2c
pf2d
pf2e

Partial preview of the text

Download CompTIA Cybersecurity Analyst (CySA+) Certification – Domain 1.0 Security Operations Pract and more Exams Cybercrime, Cybersecurity and Data Privacy in PDF only on Docsity!

CompTIA Cybersecurity Analyst (CySA+) Certification –

Domain 1.0 Security Operations Practice EXAM LATEST 2026-

2027 100 QUESTIONS AND 100% Verified ANSWERS

Fred's reconnaissance of an organization includes a search of the Censys network search engine. There, he discovers multiple certificates with validity dates as shown here:

Validity: 2018-07-07 00:00:00 to 2019-08-11 23:59:59 (400 days, 23:59:59)

2017-07-08 00:00:00 to 2019-08-12 23:59:59 (400 days, 23:59:59)

2018-07-11 00:00:00 to 2019-08-15 23:59:59 (400 days, 23:59:59)

What should Fred record in his reconnaissance notes?

A. The certificates expired as expected, showing proper business practice. B. The certificates were expired by the CA, possibly due to nonpayment. C. The system that hosts the certificates may have been compromised. D. The CA may have been compromised, leading to certificate expiration. A.

When an organization expires multiple certificates, it often indicates a security problem that resulted in a need to invalidate the certificates. Fred should check for other information about a possible compromise near the dates of expiration.

Ryan's passive reconnaissance efforts resulted in the following packet capture. Which of the following statements cannot be verified based on the packet capture shown for the host with IP address 10.0.2.4?

A. The host does not have a DNS entry. B. It is running a service on port 139. C. It is running a service on port 445. D. It is a Windows system. D.

While the system responded on common Windows ports, you cannot determine whether it is a Windows system. It did respond, and both ports 139 and 445 were accessible. When the host the Wireshark capture was conducted from queried DNS, it did not receive a response, indicating that the system does not have a DNS entry (or at least, it doesn't have one that is available to the host that did the scan and ran the Wireshark capture).

Stella is analyzing the results of a vulnerability scan and comes across the vulnerability shown here on a server in her organization. The SharePoint service in question processes all of the organization's work orders and is a critical part of the routing business workflow. What is the best way that Stella can correct this vulnerability?

A. Deploy an intrusion prevention system. B. Apply one or more application patches. C. Apply one or more operating system patches. D. Disable the service. B.

The vulnerability report indicates that SharePoint application patches are available to correct the vulnerability on a variety of versions of SharePoint. This should be Stella's first course of action since it will correct the underlying issue. Deploying an intrusion prevention system may also prevent attackers from exploiting the vulnerability, but it will depend on the positioning of the IPS and the attacker's location on the network and will not correct the underlying issue. There is no indication that an operating system patch will correct the issue. Disabling the service will prevent an attacker from exploiting the vulnerability but will also disable the business-critical service.

Applying a security patch would correct the issue on this server. The fact that the header for this vulnerability includes a Microsoft security bulletin ID indicates that Microsoft likely released a patch. Disabling the IIS service would disrupt business activity on the server. Modifying web application would not likely address this issue as the report indicates that it is an issue with the underlying IIS server and not a specific web application. IPS rules may prevent an attacker from exploiting the vulnerability, but they would not correct the underlying issue.

Ryan ran a vulnerability scan of one of his organization's production systems and received the report shown here. He would like to understand this vulnerability better and then remediate the issue. If an attacker is able to exploit this vulnerability, what is the probable result that will have the highest impact on the organization?

A. Administrative control of the server B. Complete control of the domain C. Access to configuration information D. Access to web application logs A.

Since this is an escalation of privilege vulnerability, it is likely that an attacker could gain complete control of the system. There is no indication that control of this system would then lead to complete control of the domain. Administrative control of the server would grant access to configuration information and web application logs, but these issues are not as serious as an attacker gaining complete control of the server.

Mike runs a vulnerability scan against his company's virtualization environment and finds an information-level HTTP Methods Allowed (per directory) in several of the virtual hosts. What action should Mike take?

A. No action is necessary because this is an informational report. B. Mike should disable HTTP on the affected devices. C. Mike should upgrade the version of OpenSSL on the affected devices. D. Mike should immediately upgrade the hypervisor. A.

This is an informational-level report that will be discovered on any server that supports the OPTIONS method. This is not a serious issue and is listed as an informational item, so Mike does not need to take any action to address it.

Without access to any additional information, which one of the following vulnerabilities would you consider the most severe if discovered on a production web server?

A. CGI generic SQL injection B. Web application information disclosure C. Web server uses basic authentication without HTTPS D. Web server directory enumeration A.

The SQL injection attack could be quite serious, since it may allow an attacker to retrieve and/or modify information stored in the backend database. The second highest priority should be resolving the use of unencrypted authentication, because it may allow the theft of user credentials. The remaining two vulnerabilities are less serious, because they only pose a reconnaissance risk.

Carla is designing a vulnerability scanning workflow and has been tasked with selecting the person responsible for remediating vulnerabilities. Which one of the following people would normally be in the best position to remediate a server vulnerability?

A. Cybersecurity analyst

B. System administrator

C. Network Engineer

C. Scheduled vulnerability scanning D. Agent-based monitoring D.

Vulnerability scans can only provide a snapshot in time of a system's security status from the perspective of the vulnerability scanner. Agent-based monitoring provides a detailed view of the system's configuration from an internal perspective and is likely to provide more accurate results regardless of the frequency of vulnerability scanning.

Andrea recently discovered a moderate-level PuTTY Local Information Disclosure Vulnerability on the workstation belonging to a system administrator in her organization. What is the major likely threat that should concern Andrea?

A. An attacker could exploit this vulnerability to take control of the administrator's workstation. B. An attacker could exploit this vulnerability to gain access to servers managed by the administrator. C. An attacker could exploit this vulnerability to prevent the administrator from using the workstation. D. An attacker could exploit this vulnerability to decrypt sensitive information stored on the administrator's workstation. B.

PuTTY is a commonly used remote login application used to connect to servers and other networked devices. If an attacker gains access to the SSH private keys used by PuTTY, the attacker could use those keys to gain access to the systems managed by that administrator.

Tom is planning a series of vulnerability scans and wants to ensure that the organization is meeting its customer commitments with respect to the scans' performance impact. What two documents should Tom consult to find these obligations?

A. SLAs and MOUs

B. SLAs and DRPs C. DRPs and BIAs D. BIAs and MOUs A.

Tom should consults service level agreements (SLAs) and memorandums of understanding (MOUs). These documents should contain all commitments made to customers related to performance. Disaster recovery plans (DRPs) and business impact assessments (BIAs) should not contain this type of information.

Donna is working with a system engineer who wants to remediate vulnerabilities in a server that he manages. Which report template would be most useful to the engineer?

A. Qualys Top 20 Report B. PCI Technical Report C. Executive Report D. Technical Report D.

The technical report will contain detailed information on a specific host and is designed for an engineer seeking to remediate the system. The PCI Technical report would focus on credit card compliance issues, and there is no indication that this server is used for credit card processing. The Qualys Top 20 Report and Executive Report would contain summary information more appropriate for a management audience and cover an entire network, rather than provide detailed information on a single system.

Abdul received a high-level Unauthenticated Access to FTP Server Allowed vulnerability alert for a server in his organization. The server runs a legacy application that cannot easily be updated. What risks does this vulnerability present?

Given no other information, which one of the following vulnerabilities would you consider the greatest threat to information confidentiality?

A. HTTP TRACE/TRACK methods enabled B. SSL Server with SSL v3 enabled C. phpinfo information disclosure D. Web application SQL injection D.

Although all these vulnerabilities do pose a confidentiality risk, the SQL injection poses the greatest threat because it may allow an attacker to retrieve the contents of a backend database. The HTTP TRACK/TRACE and PHP information disclosure may provide reconnaissance information but would not directly disclose sensitive information. SSL v3 is no longer considered secure but is much more difficult to exploit for information theft than a SQL injection issue.

Sophia discovered a critical-level Microsoft Windows Server 2003 Unsupported Installation vulnerability on one of the servers running in her organization. The vulnerability alert indicates Microsoft no longer supports the operating system. What action should she take?

A. Decommission this server. B. Run Windows Update to apply security patches. C. Require strong encryption for access to this server. D. No action is required. A.

This is a critical vulnerability that should be addressed immediately. In this case, Sophia should decommission the server and replace it with a server running a current operating system. Microsoft no longer supports Windows Server.

Ling recently completed the security analysis of a web browser deployed on systems in her organization and discovered that it is susceptible to a zero-day integer overflow attack. Who is in the best position to remediate this vulnerability in a manner that allows continued use of the browser?

A. Ling B. The browser developer C. The network administrator D. The domain administrator B. Ling or the domain administrator could remove the software from the system, but this would not allow continued use of the browser. The network administrator could theoretically block all external web browsing, but this is not a practical solution. The browser developer is the only one in a good situation to correct an overflow error because it is a flaw in the code of the web browser.

Renee is assessing the exposure of her organization to a denial-of-service vulnerability in the scan report. She is specifically interested in determining whether an external attacker would be able to exploit the denial-of-service vulnerability. The vulnerability is a moderate-level MediaWiki Information Disclosure Denial of Service and Multiple Cross-Site Scripting. Which one of the following sources of information would provide her with the best information to complete this assessment?

A. Server logs B. Firewall rules C. IDS configuration D. DLP configuration B.

The firewall rules would provide Renee with information about whether the service is accessible from external networks. Server logs would contain information on actual access but would not definitively state whether the server is unreachable from external addresses. Intrusion detection systems may detect an attack in progress but are not capable of blocking traffic and would not be relevant to Renee's analysis. Data loss prevention systems protect against confidentiality breaches and would not be helpful against an availability attack.

The server with IP address 10.0.102.58 is the only server among the possible answers that has a level 5 vulnerability. Level 5 vulnerabilities have the highest severity and should be prioritized. The server at 10.0.16. has the most overall vulnerabilities but does not have any level 5 vulnerabilities.

Holly ran a scan of a server in her datacenter and the most serious result was a moderate-level phpinfo Information Disclosure vulnerability. What action is most commonly taken to remediate this?

A. Remove the file from the server. B. Edit the file to limit information disclosure. C. Password protect the file. D. Limit file access to a specific IP range. A.

The phpinfo file is a testing file often used by web developers during the initial configuration of a server. Although any of the solutions provided here may remediate this vulnerability, the most common course of action is to simply remove this file before the server is moved into production or made publicly accessible.

Arlene ran a vulnerability scan of a VPN server used by contractors and employees to gain access to her organization's network. An external scan of the server found a moderate-level SSL Certificate Signed Using Weak Hashing Algorithm vulnerability. How can Arlene correct this vulnerability?

A. Reconfigure the VPN server to only use secure hash functions. B. Request a new certificate. C. Change the domain name of the server. D. Implement an intrusion prevention system. B.

This error is a vulnerability in the certificate itself and may be corrected only by requesting a new certificate from the certificate authority (CA) that uses a secure hash algorithm in the certificate signature.

Sara's organization has a well-managed test environment. What is the most likely issue that Sara will face when attempting to evaluate the impact of a vulnerability remediation by first deploying it in the test environment?

A. Test systems are not available for all production systems. B. Production systems require a different type of patch than test systems. C. Significant configuration differences exist between test and production systems. D. Test systems are running different operating systems than production systems. A.

In a well-managed test environment, the test systems should be configured in a near-identical manner to production systems. They should be running the same operating systems and require the same patches. However, in almost every organization, there are systems running in production that do not have mirror deployments in test environments because of cost, legacy system issues, and other reasons.

**********How many vulnerabilities listed in the report shown here are significant enough to warrant immediate remediation in a typical operating environment?

A. 22 B. 14 C. 5 D. 0 D.

The vulnerability scan of this server has fairly clean results. All of the vulnerabilities listed are severity 3 or lower. In most organizations, immediate remediation is required only for severity 4 or 5 vulnerabilities.

Isaac wants to grab the banner from a remote web server using commonly available tools. Which of the following tools cannot be used to grab the banner from the remote host?

A. Netcat B. Telnet C. Wget D. FTP D.

Netcat, telnet, and wget can all be used to conduct banner-grabbing. FTP will not connect properly to get the banner he wants to see.

Alex wants to scan a protected network and has gained access to a system that is behind the network firewall which can communicate to both his scanning system and the internal network. What type of nmap scan should Alex conduct to leverage this host if he cannot install nmap on system A?

A. A reflection scan B. A proxy scan C. A randomized host scan D. a ping-through scan B.

nmap supports the use of both HTTP and SOCKS4 proxies, allowing Alex to configure the remote host as an HTTP proxy and bounce his scans through it. This can allow nmap users to leverage their scanning tools without installing them on a protected host or network.

Maddox is conducting an inventory of access permissions on cloud-based object buckets, such as those provided by the AWS S3 service. What threat is he seeking to mitigate?

A. Insecure APIs B. Improper key management C. Unprotected storage D. Insufficient logging and monitoring C.

Maddox's actions could identify improperly secured storage buckets that require remediation. While the other vulnerabilities may exist, they are not likely to be discovered during a permissions inventory.

Lucy recently detected a cross-site scripting vulnerability in her organization's web server. The organization operates a support forum where users can enter HTML tags and the resulting code is displayed to other site visitors. What type of cross-site scripting vulnerability did Lucy discover?

A. Persistent B. Reflected C. DOM-based D. Blind A.

This type of XSS vulnerability, where the attack is stored on a server for later users, is a persistent vulnerability. The scenario does not tell us that the code is immediately displayed to the user submitting it, so there is no indication of a reflected attack. The attack is stored on the server, rather than in the browser, so it is not a DOM- based attack. There is no such thing as blind XSS attacks.

Florian discovered a vulnerability in a proprietary application developed by his organization. The application performs memory management using the malloc() function and one area of memory allocated in this manner has an overflow vulnerability. What term best describes this overflow?

GET /scripts/sample.php GET /scripts/test.php GET /scripts/manage.php GET /scripts/download.php

A. A denial-of-service attack B. A vulnerability scan C. A port scan D. A directory traversal attack B.

Testing for common sample and default files is a common tactic for vulnerability scanners. Janet can reasonably assume that her Apache web server was scanned using a vulnerability scanner.

Kai has identified a privilege escalation flaw on the system she targeted in the first phase of her penetration test and is now ready to take the next step. According to the NIST 800-115 standard, what is step C that Kai needs to take?

Gaining Access -> Escalating Privileges -> C -> Install Additional Tools

A. System browsing B. Scanning C. Rooting D. Consolidation A.

Kai's next step is to prepare to pivot. To do so, she needs to browse for additional systems and to identify the methods she will use to access them. At times, this will move her back into the discovery phase.

While conducting a port scan of a remote system, Henry discovers TCP port 1433 open. What service can he typically expect to run on this port?

A. Oracle B. VNC C. IRC D. Microsoft SQL D.

Microsoft SQL typically runs on TCP ports 1433 and 1434. Oracle's default is 1521, IRC is 6667, and VNC is 5900.

Ian's company has an internal policy requiring that they perform regular port scans of all of their servers. Ian has been part of a recent effort to move his organization's servers to an infrastructure as a service (IaaS) provider. What change will Ian most likely need to make to his scanning efforts?

A. Change scanning software B. Follow the service provider's scan policies C. Sign a security contract with the provider D. Discontinue port scanning B.

Most IaaS providers will allow their customers to perform security scans as long as they follow the rules and policies for such scans. Ian should review his vendor's security documentation and contact them for details if he has questions.