CompTIA CySA+ Practice Test (CS0-003)

The correct answer is to prioritize patching the affected service. The vulnerability is described as having a well-known exploit with readily available code, which means it is highly likely to be weaponized by attackers. According to the vulnerability management lifecycle, after a critical vulnerability is identified and assessed, the next step is to prioritize its remediation. While isolating the server, implementing a WAF rule (a compensating control), or performing additional scans are all possible security actions, patching is the definitive measure that resolves the root cause of the vulnerability. Given the high risk, it should be prioritized for immediate action over other options.

Tracking the 'Mean time to remediate' provides valuable insight into how quickly an organization is able to address vulnerabilities. Shorter remediation times typically indicate that the organization is improving its processes and resources for handling vulnerabilities. Monitoring trends in this metric helps teams assess their efficiency and effectiveness over time.

Other metrics like 'Total number of identified vulnerabilities' can be useful but might not directly indicate process improvement unless analyzed alongside remediation times and other efficiency metrics.

The primary consideration for escalating an incident is its potential impact on the organization. This entails assessing the severity, scope, and possible consequences of the incident. High-impact incidents require swift escalation to ensure appropriate stakeholders can address them quickly. User reports and incident documentation are important but not the initial trigger for escalation.

ISO/IEC 27001 is the best choice because it provides a model for establishing, implementing, maintaining, and continually improving an information security management system (ISMS). This standard is designed to ensure the selection of adequate and proportionate security controls that protect information assets and give confidence to interested parties. ISO/IEC 27002 provides guidelines for organizational information security standards and information security management practices including the selection, implementation, and management of controls, but does not outline a management system framework itself.

In this scenario, initiating an on-demand threat hunt gathers intelligence but does not immediately contain the potential threat. A threat hunt is a proactive, in-depth investigation and should occur after containment. A memory dump can preserve forensic data but may risk losing volatile evidence if performed improperly and still does not halt the attacker. Escalating the alerts to the incident-response team is important for coordination but does not itself stop malicious activity. Isolating the endpoint from the network prevents further data loss and lateral movement within seconds, using a core EDR containment capability; therefore, it is the most immediate and effective action.

Automated patch management platforms can identify missing patches, test them, and then schedule deployment during predefined maintenance windows or off-peak hours. This provides the speed needed to remediate vulnerabilities quickly while avoiding downtime for users. Manual bi-weekly patching, unscheduled immediate roll-outs, or waiting until the monthly maintenance window either leave systems exposed for longer or increase the risk of interrupting business-critical services.

The 'Initial Access' phase in the MITRE ATT&CK framework focuses on identifying the techniques used by attackers to gain an initial foothold in the network. This can include methods such as spearphishing, exploiting vulnerabilities, and using rogue access points. Recognizing the initial access vector is crucial for understanding how attackers entered the network and preventing similar breaches in the future. Other phases like 'Execution' and 'Exfiltration' deal with different stages of the attack and do not specifically focus on the entry point.

When communicating a security incident to customers, especially one that involves unauthorized access to their data, an official notification provides transparent, direct, and legally appropriate information. It is important these communications are clear, factual, and often they need to comply with data breach notification laws. The notification typically includes what happened, what information was involved, what the company has done to address the breach, and what actions customers can take to protect themselves. A blog post might not be formal or targeted enough, a tweet is too informal and limited in detail, and internal documentation is not intended for customers.

The correct answer is Impacted systems and data. An executive summary is written for a non-technical, leadership audience whose primary concern is the business impact of an incident. Describing the impacted systems and data provides a clear, high-level overview of the incident's scope and severity, which is essential for executive decision-making. While a detailed timeline of events and specific technical details are crucial for the full technical report, they are too granular for an executive summary. Similarly, recommendations for technical staff belong in the full report; an executive summary should contain high-level, strategic recommendations.

An MOU generally outlines a shared intent or cooperative relationship rather than creating a legally enforceable obligation. While it may describe desired remediation timelines, it typically lacks the contractual force, penalties, or statutory authority found in an SLA or a regulatory mandate. Therefore, only the first option correctly identifies an MOU's usual non-binding nature; the other options incorrectly portray it as a binding contract, a statutory requirement, or an internal audit standard.

Diffie-Hellman Ephemeral (DHE) is the key-agreement protocol identified by the DHE string in a TLS cipher suite. During the handshake, each side generates a temporary Diffie-Hellman key pair and exchanges the public values. This asymmetric exchange yields a shared premaster secret that never traverses the network in plaintext. TLS then derives symmetric session keys (for example, AES-128-GCM) from that secret, and all subsequent packets are encrypted symmetrically. Because new DH values are generated for every handshake, DHE also delivers perfect forward secrecy. ECDH-static and RSA key transport rely on asymmetric cryptography but either reuse long-term keys or lack forward secrecy, and AES itself is purely symmetric.

The correct answer is "Providing random and malformed data to the application forms to identify handling errors." because fuzzing is about testing the application's response to unexpected or invalid data. If the application does not handle this kind of input gracefully, it could result in crashes or exploitable conditions. Using legitimate inputs would not serve the purpose of fuzzing as it would not likely lead to discovering new vulnerabilities. Scanning the source code would involve static analysis, which is different from the dynamic approach of fuzzing.

Metasploit framework is a multipurpose tool that can be used for both network scanning and performing exploit testing. It is well-known for its ability to not only identify vulnerabilities but also to simulate attacks to see how the vulnerabilities could potentially be exploited. Nmap is primarily used for network discovery and security auditing but does not offer built-in functionalities for exploit testing. Wireshark is used for packet analysis and network troubleshooting rather than vulnerability scanning or exploit testing. OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping, but it does not provide the scanning or exploit testing capabilities required for a comprehensive assessment.

Risk score should be given the highest priority when preparing a vulnerability management report for effective communication with stakeholders. The risk score correlates with the potential impact a vulnerability may have on the organization and helps stakeholders understand the urgency and importance of addressing the vulnerability. Mitigating high-risk vulnerabilities is crucial to protecting an organization's assets; therefore, the risk score is essential for prioritization. While understanding the affected hosts, mitigation steps, and trends are important, they are secondary to the immediate need of addressing the riskiest vulnerabilities as identified by the risk score.

A comprehensive inventory of the affected systems, data classifications, and business processes is the clearest way to convey the breach's scope. Listing every compromised server, application, and dataset shows how deeply the attacker penetrated, the sensitivity of the information at risk, and which business units are impacted. Root-cause details, containment timelines, and MTTR/MTTD metrics are valuable, but they describe how or when the incident happened and how quickly you reacted-not the breadth of what was actually compromised.

The lessons learned phase occurs after containment, eradication, and recovery are complete. The response team conducts a structured review to measure the effectiveness of its actions, identify successes and shortcomings, and document actionable recommendations. This retrospective feeds updates to the incident response plan, playbooks, security controls, and training, enhancing the organization's ability to handle future incidents. By contrast, an incident response plan is part of preparation, remediation happens during containment and eradication, and chain of custody concerns evidence handling, not post-incident analysis.

The executive summary is a critical section of an incident response report that provides upper management with a concise overview of the incident, emphasizing key points such as impact, scope, and recommended actions. It allows executives to quickly understand the situation without needing to parse through technical details that might be included in other parts of the report. The other options are either too detailed for an executive summary or may not necessarily be included in every incident report at the executive summary level.

Choosing a time when system usage is at its lowest reduces the impact on business operations. Scheduling maintenance during low-usage periods helps ensure minimal disruption and user complaints. Risk exposure, regulatory approval, and notification timelines are important but secondary considerations that support this primary objective.

A zero-day is a software vulnerability that is unknown to the vendor and has no available patch, making it exploitable by attackers before a fix is developed.

Regular exercises, such as tabletop exercises, are the most vital part of an incident response plan. These exercises prepare the incident response team for real-world scenarios and help identify weaknesses in the response plan. Having contacts and communications at hand is indeed useful, but without practice and validation through exercises, the plan's effectiveness is untested. Data backups are a critical part of recovery but do not directly relate to the incident response process itself. Incident response tools assist in the response but are only effective if the team knows how to use them in the context of a practiced plan.