Text preview & study summary

CompTIA CySA+ CS0-003 - All Domains Security Operations Vulnerability Management IR

A free sample of 5 questions from this quiz, shown in full with answer choices and explanations. No interactivity — everything is visible on this page for study and review.

Want to test your knowledge? Launch the Interactive Exam Simulator

Question 1

A vulnerability assessment reveals a server running software with a CVSS base score of 7.5. However, a threat intelligence feed indicates this CVE is being actively exploited in the wild by nation-state actors targeting your industry. How does this intelligence affect prioritization?

Answer choices

  • A. It doesn't change prioritization — CVSS base score is the only factor

  • B. Active exploitation by relevant threat actors significantly elevates the urgency — this should be treated as critical and remediated immediately (Correct)

  • C. It lowers the priority because other organizations are already being attacked

  • D. CVSS scores already incorporate threat intelligence

Explanation

CVSS base scores don't account for active exploitation context. CISA's Known Exploited Vulnerabilities (KEV) catalog tracks CVEs actively exploited in the wild. Intelligence showing targeted exploitation by relevant threat actors dramatically elevates practical risk beyond what CVSS indicates.

Question 2

A SOC analyst receives a SIEM alert for a successful brute-force login to an admin account. The login came from an IP address in Russia, while the legitimate admin works from the US. Which action should the analyst take FIRST?

Answer choices

  • A. Email the admin to verify if they are traveling

  • B. Immediately disable the admin account, preserve logs, and initiate the incident response process (Correct)

  • C. Block the Russian IP address in the firewall

  • D. Wait for another alert before acting

Explanation

Confirmed brute-force success from an anomalous location requires immediate containment. Disabling the compromised account stops ongoing unauthorized access. Preserving logs ensures forensic evidence. Contacting the admin should happen during investigation, but account containment comes first.

Question 3

An analyst is reviewing a vulnerability scan report. A critical vulnerability (CVSS 9.8) is found on a server with no internet access, protected by a firewall, requiring authenticated access from an IP-restricted management VLAN. What should the analyst recommend?

Answer choices

  • A. Patch the vulnerability immediately regardless of context

  • B. Apply the patch in the next scheduled maintenance window — environmental controls reduce the exploitability score, but the vulnerability should still be remediated (Correct)

  • C. Remove the vulnerability from the report

  • D. Accept the risk permanently with no action needed

Explanation

Contextual risk analysis uses environmental score modifications. A CVSS 9.8 vulnerability in an isolated environment with multiple compensating controls has lower actual exploitability. However, it should still be patched in a planned maintenance window. Permanent risk acceptance for a critical CVE is inappropriate.

Question 4

A security analyst is investigating a compromise and runs the command `netstat -ano` on a Windows system. What information does this provide for the investigation?

Answer choices

  • A. List of all installed programs

  • B. All active TCP/UDP connections with process IDs (PIDs), enabling correlation of suspicious connections to specific processes (Correct)

  • C. All open files on the system

  • D. All logged-in users

Explanation

`netstat -ano` shows all network connections (-a), numerically (-n), and the owning process ID (-o). This is critical for incident response: investigators correlate suspicious outbound connections (to C2 IPs) with the PID, then identify the process in Task Manager to find malware.

Question 5

An analyst wants to understand the scope of a potential insider threat by analyzing which files a specific user accessed over the past 30 days. Which data source is MOST relevant?

Answer choices

  • A. Network flow data (NetFlow)

  • B. Windows Security Event Log (Event ID 4663 — object access audit events) (Correct)

  • C. DHCP logs

  • D. DNS query logs

Explanation

Windows Security Event ID 4663 (An attempt was made to access an object) logs when files/objects are accessed, by which user, from which process, when. Combined with file auditing enabled on sensitive shares, this provides a complete audit trail of file access for insider threat investigations.