CompTIA Security+ Practice Test of the Day 260319

An analyst in a SOC at a regional hospital network is reviewing the output from the organization's vulnerability scanner, which returned 312 open findings across all production systems following a comprehensive scan. The security team has limited remediation bandwidth and must determine which vulnerabilities to address first to reduce the most risk within a 72-hour emergency response window. The team lead instructs the analyst to use an industry-standard framework that assigns a numeric severity rating to each vulnerability based on characteristics such as attack vector, attack complexity, privileges required, and potential impact on confidentiality, integrity, and availability. Which framework is MOST commonly used to assign standardized severity scores to vulnerabilities for the purpose of remediation prioritization?

A vulnerability management team at a large manufacturing company conducted a credentialed scan across their server infrastructure and received a report flagging a critical remote code execution vulnerability in an older version of OpenSSL on a production web server. A senior systems engineer reviews the finding and confirms that while the vulnerable version of OpenSSL was installed six months prior, a validated patch was applied and verified during the most recent maintenance window, and the configuration management database was updated to reflect the change. Further investigation reveals that the vulnerability scanner's plugin definitions had not been refreshed in over 90 days and therefore failed to recognize the patched state of the system. Which term BEST describes the type of scan result the team encountered in this scenario?

A penetration tester hired to assess the external attack surface of a financial services company has successfully exploited a critical SQL injection flaw in the organization's externally facing customer account portal. The tester was able to extract the entire customer database — including account numbers, Social Security numbers, and transaction histories — within 90 minutes of beginning the assessment. Notably, the organization's enterprise vulnerability scanner had scanned the same application three days earlier, completed without errors, and reported zero high-severity findings for that application. Which term BEST describes the vulnerability scanner's failure to detect the SQL injection vulnerability that the penetration tester subsequently exploited?

A security architect at an energy company is conducting a vulnerability review of the industrial control systems (ICS) used to manage real-time pipeline pressure monitoring equipment across multiple remote sites. The systems run a legacy operating system that the original equipment manufacturer no longer supports, and the security team has confirmed that applying the OS-level patch required to remediate a critical publicly disclosed vulnerability would break the proprietary SCADA software the systems depend on. The ICS vendor has stated that a compatible patch release is at least 18 months away, and the operations team has rejected taking the systems offline due to critical safety requirements. Which vulnerability response approach BEST reduces the immediate risk posed by this unpatched vulnerability given the operational constraints?

The CISO of a financial services firm is reviewing a formal request submitted by the owner of a legacy payment processing application. The application is affected by a critical vulnerability that the organization's vulnerability management policy requires to be patched within 30 days of discovery. However, the application owner has determined that applying the required patch would necessitate a 72-hour scheduled maintenance window that cannot be safely accommodated until after a major quarterly reporting cycle ending in approximately 90 days. The application owner has documented the business justification and proposed interim risk mitigations and is requesting formal authorization to delay the patch beyond the standard 30-day deadline. Which vulnerability management process is the application owner using to request a deviation from the standard remediation policy?

A security engineer at a national retail company has completed deploying patches to a group of 52 Linux web servers that were flagged with a critical remote code execution vulnerability by the enterprise vulnerability scanner during last week's scheduled scan. The endpoint management platform confirms the patches were successfully installed on all 52 servers, and the operations team has signed off on the change management ticket. However, the organization's vulnerability management policy requires that all remediation activities be formally validated before findings can be closed in the vulnerability tracking system and reported as resolved to the CISO. Which validation activity should the security engineer perform FIRST as part of the remediation validation lifecycle?

A security manager at a rapidly growing fintech startup is presenting a proposal to the executive team to establish a structured program that allows independent external security researchers to legally discover and report vulnerabilities in the company's web applications, APIs, and mobile platform. The program would clearly define the scope of systems researchers are authorized to test, specify permitted testing techniques, require researchers to report findings to the security team before any public disclosure, and offer tiered financial compensation based on the severity and impact of each validated vulnerability. Which type of vulnerability identification program is the security manager describing?

A vulnerability analyst at a large healthcare organization is reviewing two open findings that both received an identical CVSS base score of 8.9 (High). The first finding affects an internal development sandbox server accessible only by three engineers on an isolated non-production network with no internet connectivity and no patient data. The second finding affects an internet-facing patient portal that stores and processes protected health information (PHI) for over 2 million patients and is accessible 24 hours a day by the public. The analyst's team lead advises her to move beyond the base score and apply additional CVSS scoring that incorporates factors specific to the organization's environment when deciding which finding to patch first. Which CVSS component allows organizations to adjust the effective severity of a vulnerability by accounting for organizational and environmental context?

A threat intelligence analyst working for a managed security services provider is conducting routine monitoring of underground forums and illicit marketplaces on the dark web as part of the organization's proactive vulnerability identification program. During a monitoring session, the analyst discovers a post on a known cybercriminal forum in which a threat actor claims to be selling a working proof-of-concept exploit for an unpatched zero-day vulnerability affecting the specific version of enterprise VPN software currently deployed by one of the firm's major financial sector clients. The analyst confirms that neither the client nor the VPN vendor has been notified about this vulnerability through any official channel. Which vulnerability identification method does this activity represent according to the SY0-701 exam objectives?

Your organization recently completed a third-party vulnerability assessment that identified a critical OS command injection flaw in the web-facing component of the customer order management platform. The software vendor released a patch three weeks ago, but the operations team delayed deployment due to concerns about application compatibility with a downstream integration. After the threat intelligence team detected active exploitation of the same vulnerability at peer organizations in the same industry vertical, the CISO directed the security team to apply the patch immediately in an emergency maintenance window, which was completed successfully at 2:00 AM. According to the vulnerability response and remediation validation lifecycle defined in the SY0-701 objectives, what is the MOST appropriate next action the security team should take following the emergency patch deployment?