Welcome to today’s CompTIA Security+ practice test!
Today’s practice test is based on subdomain 4.3 (Explain various activities associated with vulnerability management) from the CompTIA Security+ SY0-701 objectives.
This beginner-level practice test is inspired by the CompTIA Security+ (SY0-701) exam and is designed to help you reinforce key cybersecurity concepts on a daily basis.
These questions are not official exam questions, but they reflect topics and scenarios relevant to the Security+ certification. Use them to test your knowledge, identify areas for improvement, and build daily cybersecurity habits.
Click the button below to start today’s practice exam.
Results
#1. A security administrator at a financial institution runs a vulnerability scan and discovers several critical findings on publicly exposed servers. What is the first step in addressing these vulnerabilities?
#2. A SOC analyst receives alerts from a vulnerability scanner indicating “high-risk” SQL injection vulnerabilities in a web application. After manual verification, the analyst finds no such vulnerability exists. Which concept does this illustrate?
#3. A penetration tester reports a privilege escalation vulnerability in a production environment. The development team disputes the finding, claiming the exploit requires unrealistic conditions. How should the security team proceed?
#4. A software company is considering launching a bug bounty program to improve product security. Which of the following best describes its purpose?
#5. During a quarterly vulnerability scan, multiple outdated libraries are identified in a company’s web applications. What is the most effective remediation strategy?
#6. A vulnerability scan of IoT devices on a manufacturing floor reports multiple issues. The risk manager states that remediation will be delayed due to production constraints. What is this risk treatment method called?
#7. A vulnerability management team receives a threat feed reporting active exploitation of a zero-day vulnerability. Which step should the team take first?
#8. A company runs static application security testing (SAST) on source code before deployment. What vulnerability management phase does this activity represent?
#9. After a critical patch is applied to all affected systems, the vulnerability scanner still shows the same finding. What is the most likely reason?
#10. A vulnerability report ranks a discovered flaw with a CVSS base score of 9.8 but environmental adjustments lower it to 5.6. What does this indicate?
Note: CompTIA and Security+ are registered trademarks of CompTIA. This content is not affiliated with or endorsed by CompTIA.
To view CompTIA Security+ practice tests on other days, click here.To view answers and explanations for today’s questions, expand the Answers accordion below.
Answers
| Number | Answer | Explanation |
|---|---|---|
| 1 | D | A security administrator at a financial institution runs a vulnerability scan and discovers several critical findings on publicly exposed servers. What is the first step in addressing these vulnerabilities? A. Deploy security patches immediately: While patching is often the ultimate solution, deploying patches immediately without prior assessment can sometimes lead to unforeseen system instability or conflicts, especially on critical production servers. Prioritization and testing should precede deployment. B. Disable all network access to the servers: This is a drastic measure that would cause significant business disruption. It might be necessary for extremely severe, actively exploited vulnerabilities but is not the first universal step for all critical findings. It should be a last resort after prioritization indicates extreme risk. C. Decommission affected systems: Decommissioning systems is a very extreme and often unnecessary step. The goal is to secure the systems, not remove them, unless they are truly at end-of-life or unpatchable and too risky to keep. This would cause major business impact. D. Prioritize vulnerabilities based on risk and exposure After discovering critical findings, the absolute first step is to prioritize them. Not all critical findings have the same impact or urgency. Prioritization involves assessing the severity of the vulnerability, the likelihood of exploitation, the impact if exploited (e.g., data sensitivity, business impact), and the exposure (e.g., publicly accessible vs. internal). This allows the administrator to focus efforts on the most critical risks first. |
| 2 | A | A SOC analyst receives alerts from a vulnerability scanner indicating “high-risk” SQL injection vulnerabilities in a web application. After manual verification, the analyst finds no such vulnerability exists. Which concept does this illustrate? A. False positive: A false positive occurs when a security tool or system (like a vulnerability scanner) incorrectly identifies a threat or vulnerability that does not actually exist. The scanner flagged a “high-risk” SQL injection, but manual verification proved it was not present. B. False negative: A false negative occurs when a security tool fails to detect an actual threat or vulnerability that does exist. This is the opposite of the scenario described. C. Risk acceptance: Risk acceptance is a strategy where an organization acknowledges a particular risk and decides not to take any action to mitigate it, usually because the cost of mitigation outweighs the potential impact of the risk. This scenario is about a detection error, not a risk management decision. D. Residual risk: Residual risk is the risk that remains even after all planned security controls and mitigations have been implemented. This scenario is about an inaccurate alert, not the remaining risk after mitigation efforts. |
| 3 | B | A penetration tester reports a privilege escalation vulnerability in a production environment. The development team disputes the finding, claiming the exploit requires unrealistic conditions. How should the security team proceed? A. Ignore the vulnerability due to disputed exploitability: Ignoring a reported vulnerability, especially one concerning privilege escalation in a production environment, is a critical security lapse. Even if disputed, it requires proper assessment. B. Use CVSS environmental metrics to evaluate its impact CVSS (Common Vulnerability Scoring System) includes environmental metrics (e.g., Confidentiality Impact, Integrity Impact, Availability Impact, modified Base Metrics, and Supplemental Metrics like ‘Exploitability’ or ‘Remediation Level’). These metrics allow the security team to adjust the severity score based on the specific conditions of their production environment and the actual difficulty or unlikeliness of the exploit in their context. This provides a standardized, objective way to assess the true risk despite the development team’s dispute. C. Immediately disable all user accounts until resolved: This is an extreme and highly disruptive measure that would halt business operations. It’s not a standard first step for a disputed finding and should only be considered in cases of active, severe, and confirmed exploitation. D. Close the report without further action: Closing the report without a thorough, objective evaluation (like using CVSS environmental metrics) would be irresponsible and leave the organization exposed to a potentially critical risk. |
| 4 | B | A software company is considering launching a bug bounty program to improve product security. Which of the following best describes its purpose? A. Perform internal security audits: Bug bounty programs are external, not internal. Internal security audits are conducted by the company’s own security team or hired auditors. B. Incentivize external researchers to responsibly report vulnerabilities: A bug bounty program offers financial rewards or recognition to ethical hackers and security researchers from outside the organization. The primary purpose is to incentivize them to find and responsibly disclose vulnerabilities in the company’s products or services before malicious actors can exploit them. This leverages a wider pool of talent than an internal team could provide. C. Replace vulnerability scanners with crowdsourced findings: Bug bounty programs supplement, rather than replace, automated vulnerability scanners. Scanners are good for identifying common, known vulnerabilities, while human researchers often find more complex, logical, or zero-day issues. D. Publicly disclose all known vulnerabilities immediately: Responsible disclosure, a key tenet of bug bounty programs, usually involves a coordinated effort where the vulnerability is patched before public disclosure. Immediate public disclosure without a fix would put users at risk. |
| 5 | C | During a quarterly vulnerability scan, multiple outdated libraries are identified in a company’s web applications. What is the most effective remediation strategy? A. Disable vulnerability scanning temporarily: Disabling scans would prevent the organization from identifying new or recurring vulnerabilities. It’s akin to ignoring a problem, not solving it, and would leave the company blind to its security posture. B. Remove internet access to all servers: This is an extreme measure that would cause severe business disruption and is disproportionate to the typical risk of outdated libraries. It might be a last resort for an actively exploited critical vulnerability, but not a general remediation strategy for multiple findings. C. Update the libraries to the latest supported versions Outdated libraries often contain known security vulnerabilities that can be exploited. The most direct and effective way to address these vulnerabilities is to update the libraries to their most current, patched, and supported versions. This directly removes the known weaknesses. Ideally, you need to perform a risk assessment first, but that choice isn’t included here. D. Add the findings to an exception list: Adding findings to an exception list means you are choosing to accept the risk without remediating it. While this might be necessary for very specific, low-risk cases where no fix is possible, it is not the most effective remediation strategy and should be used with extreme caution, especially for critical findings. |
| 6 | B | A vulnerability scan of IoT devices on a manufacturing floor reports multiple issues. The risk manager states that remediation will be delayed due to production constraints. What is this risk treatment method called? A. Risk transfer: Risk transfer involves shifting the burden of risk to another party, often through insurance or by outsourcing. This isn’t happening here; the organization is still bearing the risk. B. Risk acceptance: Risk acceptance is a risk treatment strategy where an organization consciously decides to acknowledge a specific risk and take no action to reduce or eliminate it. In this scenario, the risk manager, due to production constraints (likely meaning the cost or impact of remediation outweighs the perceived immediate benefit or feasibility), has chosen to accept the risk of the vulnerabilities being present, at least for a delayed period. C. Risk avoidance: Risk avoidance involves taking steps to eliminate the risk entirely, often by discontinuing the activity that creates the risk. Delaying remediation means the risk is still present, so it’s not avoidance. D. Risk mitigation: Risk mitigation involves implementing controls or actions to reduce the likelihood or impact of a risk. While remediation is mitigation, the statement explicitly says remediation will be delayed due to constraints, implying a decision to accept the risk for now, rather than actively mitigating it. |
| 7 | B | A vulnerability management team receives a threat feed reporting active exploitation of a zero-day vulnerability. Which step should the team take first? A. Wait for vendor patches: While vendor patches are the ultimate long-term solution, waiting is not an option for an actively exploited zero-day. Immediate action is required to protect the organization before a patch is available. B. Conduct a risk assessment to determine exposure Even with a zero-day (a vulnerability unknown to the vendor and therefore unpatched), the immediate first step is to understand your exposure. This involves: – Identifying if your organization has affected systems. – Determining which of those systems are publicly accessible or hold critical data. – Assessing the potential impact if exploited. This rapid risk assessment allows the team to prioritize and determine the most appropriate immediate next steps, which could range from monitoring to isolation, based on the actual threat to their environment. C. Disable all network traffic to affected systems: This is a drastic containment measure that would cause significant business disruption. It might be a necessary step after a rapid risk assessment (Option B) determines extreme exposure and impact, but it’s not the universal first step. You need to know what is affected and how critical it is before taking such a disruptive action. D. Launch a bug bounty program: A bug bounty program is a proactive security initiative for long-term vulnerability discovery. It is not an immediate response to an actively exploited zero-day threat. |
| 8 | A | A company runs static application security testing (SAST) on source code before deployment. What vulnerability management phase does this activity represent? A. Identification: SAST (Static Application Security Testing) is a tool that analyzes an application’s source code, bytecode, or binary code without executing it, looking for vulnerabilities. This process directly aims to identify potential security flaws in the code before the application is even deployed. A. Analysis: While analysis is certainly part of understanding the SAST findings, the act of running SAST to find issues primarily falls under the identification phase of vulnerability management. Analysis follows identification. C. Remediation: Remediation is the act of fixing or patching the identified vulnerabilities. SAST is a discovery tool, not a fix. D. Validation: Validation involves verifying that a vulnerability has been successfully remediated. This happens after remediation, not during the initial scanning phase. |
| 9 | D | After a critical patch is applied to all affected systems, the vulnerability scanner still shows the same finding. What is the most likely reason? A. Patch rollback: A patch rollback means the patch was intentionally or unintentionally uninstalled. While possible, it’s less likely to be the most likely immediate reason compared to a missed reboot, especially if the patch application process seemed successful. B. Misconfigured vulnerability scanner: A misconfigured scanner could contribute to issues, but if it successfully identified the vulnerability before the patch, and the finding persists after a patch application, it’s more probable that the patch itself hasn’t fully taken effect on the target system. C. False positive in the original scan: If it were a false positive, the original scan would have been incorrect. However, the premise is that a “critical patch is applied“, implying the vulnerability was real. If it was a false positive, applying a patch wouldn’t change the fact that the finding was never truly there to begin with. D. Patch requires a system reboot to take effect: Many critical patches, especially for operating systems, kernels, or core services, require a system reboot to fully integrate the changes and for the patched code to become active. If a reboot hasn’t occurred, the old, vulnerable code might still be running, leading the scanner to detect the vulnerability again. |
| 10 | A vulnerability report ranks a discovered flaw with a CVSS base score of 9.8 but environmental adjustments lower it to 5.6. What does this indicate? A. The vulnerability does not exist in the environment: If the vulnerability did not exist, it wouldn’t have received any base score (9.8) in the first place, or it would have been a false positive. Environmental adjustments reduce the risk, not eliminate the existence of the flaw. B. The vulnerability is mitigated by existing controls CVSS (Common Vulnerability Scoring System) base scores represent the inherent severity of a vulnerability. However, environmental adjustments (also known as environmental or temporal metrics) in CVSS allow organizations to fine-tune the score based on their specific context. A significant drop from 9.8 (Critical) to 5.6 (Medium) after environmental adjustments strongly indicates that existing security controls (e.g., compensating controls, specific network configurations, segmentation, or security policies) within that particular environment effectively reduce the actual risk posed by the vulnerability, even though its inherent severity is high. C. The scanner produced a false negative: A false negative means the scanner failed to detect an existing vulnerability. This scenario describes a vulnerability being detected and its score being adjusted, which is the opposite. D. The vulnerability score was incorrectly calculated: While calculation errors can happen, the premise here is that environmental adjustments lowered the score. This is a legitimate function of CVSS to reflect context, not necessarily an incorrect calculation of the base score itself. |