CYSA-004 Practice Questions: Vulnerability Management Domain

Correct answer (A): Passive monitoring is the best initial method because the environment is availability-sensitive and the vendor explicitly warns that active scans may interrupt patient sessions. In fragile or latency-sensitive environments, analysts should gather visibility with the least disruptive method first, then coordinate limited active validation only when needed and when it is operationally safe.

Why the other options are wrong:
- Option B: Authenticated scans provide deeper detail, but they are an active method and conflict with the stated risk of disrupting patient sessions.
- Option C: Repeated active version scans during peak hours directly ignore the vendor warning and the 24/7 uptime requirement.
- Option D: The goal is still to assess the environment safely. The right answer is a lower-impact method, not avoiding visibility altogether.

Correct answer (A): Agent-based assessment is the best choice because many endpoints are remote and not consistently reachable by internal network scanning. An agent can report missing patches and local vulnerability data regardless of whether the device is on the corporate network. This is a practical visibility decision, not just a scanning preference.

Why the other options are wrong:
- Option B: Scanning data center VLANs more often does not solve the main problem: hundreds of laptops are off-network and therefore unreachable by internal scans.
- Option C: Scanning the VPN gateway evaluates the gateway, not the patch state and local vulnerabilities of individual laptops.
- Option D: Delaying assessment until users return on-site fails the stated weekly visibility requirement and leaves a large portion of the fleet unassessed.

Correct answer (A): Because the vulnerable portal is internet-facing but only needed by administrators from one known subnet, the strongest immediate control is to reduce exposure with an access restriction. This is a practical compensating control that materially lowers risk while waiting for the vendor patch. It does not replace patching, but it is the best immediate action in this scenario.

Why the other options are wrong:
- Option B: More logging may help visibility, but it does not materially reduce attack surface. Given the high EPSS and public exposure, waiting without restricting access is not the best choice.
- Option C: Administrative use does not reduce risk by itself. Formal risk acceptance is not appropriate when a high-risk internet-facing service can still be mitigated.
- Option D: Rebooting is not a meaningful compensating control for a remotely exploitable vulnerability. It neither reduces exposure nor fixes the underlying issue.

Correct answer (B): Reported remediation is not enough by itself. The analyst should verify that the exposure is actually gone by rescanning or otherwise retesting the appliance, then document that result. Verification is a key part of the vulnerability response lifecycle and prevents premature closure.

Why the other options are wrong:
- Option A: A change ticket shows intent or action, but it does not confirm the vulnerability is no longer present.
- Option C: Waiting for a dashboard cycle delays validation and does not directly confirm the current state of the asset.
- Option D: Attempted remediation does not justify downgrading severity or changing the factual status of the finding.

Correct answer (A): This is a classic case for documented risk acceptance with compensating controls. The vulnerability is real, remediation is not currently feasible, exposure has been reduced through segmentation and ACLs, and the business owner has approved continued operation if the risk is formally recorded. Proper analyst guidance is to document the exception, retain the mitigations, review it periodically, and continue working toward replacement or upgrade.

Why the other options are wrong:
- Option B: Removing ACLs would weaken compensating controls and increase exposure, making the situation worse.
- Option C: No available vendor patch does not make the result a false positive. The vulnerability still exists.
- Option D: Undocumented delay is not valid risk treatment. Risk acceptance must be explicit, documented, and reviewed.

Correct answer (A): The VPN gateway is the highest priority because remediation urgency is driven by more than CVSS. It is internet-facing, supports a very high-criticality function, has a very high EPSS score, and is KEV-listed, which indicates known real-world exploitation pressure. That combination makes it more urgent than an internal-only CVSS 9.8 finding with low exploit likelihood. CySA+ prioritization requires balancing severity, exploitability, exposure, and business impact together.

Why the other options are wrong:
- Option B: This is a common CVSS-only mistake. The file server is technically severe, but it is internal only, has low EPSS, and lacks active exploitation indicators.
- Option C: Developer workstations can be stepping stones, but this item has lower criticality and weaker exploitability indicators than the VPN gateway.
- Option D: Internet exposure matters, but it does not override all other context. The test web server is low criticality and has much lower exploitability pressure than the VPN gateway.

Correct answer (A): The best immediate action is to apply compensating controls now because the application is internet-facing, the vulnerability is severe, and the EPSS is high, but a vendor patch is not available for seven days. WAF rules and access restrictions can materially reduce exposure during that gap. Those steps mitigate risk; they do not replace full remediation once the patch becomes available.

Why the other options are wrong:
- Option B: Waiting without mitigation is risky given the internet exposure and high likelihood of exploitation.
- Option C: Risk acceptance does not reduce the technical exposure. The application would remain reachable and vulnerable.
- Option D: Reimaging may cause unnecessary outage and still may not remove the vulnerable condition if the framework issue remains unpatched.

Correct answer (D): This output provides discovery and enumeration data: reachable services, ports, and a probable operating system. That information is useful for scoping the host and planning the next assessment step, but it does not by itself prove exploitability or compromise. The best analyst action is to follow up with a vulnerability assessment or patch verification.

Why the other options are wrong:
- Option A: Open ports alone are not evidence of compromise. Moving into incident eradication would be premature and would confuse vulnerability assessment with incident response.
- Option B: A host can still be vulnerable even if only a few ports are exposed. Port count does not prove patch status.
- Option C: Reachability of SMB shows attack surface, not confirmed exploitability. Additional assessment is needed to validate whether a relevant vulnerability exists.

Correct answer (A): payments-api:v41 is the best choice because it is a live, internet-facing production workload with the vulnerable component confirmed by SBOM data, high EPSS, and reported exploit activity. The batch ETL image has a higher CVSS, but it is less exposed and less likely to be exploited in the near term. The dev-tools image is not deployed, and the metrics sidecar does not contain the vulnerable component at all.

Why the other options are wrong:
- Option B: This is the CVSS-only trap. Higher severity on an internal workload does not automatically outrank a lower-scored but internet-facing, actively targeted production service.
- Option C: Preventing future deployment risk matters, but addressing a live exposed production workload should come first when capacity is limited.
- Option D: Production status alone is not enough. The SBOM shows this image does not contain the affected component.

Correct answer (D): Because no supported fix exists and the system is still business-critical, the analyst should recommend a documented exception or risk acceptance decision by the appropriate business owner, along with continued compensating controls such as segmentation, jump-host restrictions, and monitoring. This is not the same as ignoring the finding; it is a managed treatment decision until the replacement occurs.

Why the other options are wrong:
- Option A: Segmentation reduces risk but does not eliminate it, especially for a critical unsupported system. The finding still requires documented treatment and tracking.
- Option B: Applying unrelated updates does not resolve the unsupported vulnerability. Marking it remediated would be inaccurate.
- Option C: Immediate shutdown may reduce risk, but the stem states the server is needed for manufacturing. A unilateral shutdown is not the best analyst recommendation.