nerdexam
ExamsCAS-002Questions#775
CompTIA

CAS-002 · Question #775

CAS-002 Question #775: Real Exam Question with Answer & Explanation

The correct answer is A: Assess the reliability of the information source, likelihood of exploitability, and impact to hosted. When a newly discovered vulnerability class is reported, the first step is a structured risk evaluation - assessing source credibility, exploitability, and business impact - before taking any reactive action. This avoids overreaction to unverified claims while ensuring genuine th

Question

A completely new class of web-based vulnerabilities has been discovered. Claims have been made that all common web-based development frameworks are susceptible to attack. Proof-of- concept details have emerged on the Internet. A security advisor within a company has been asked to provide recommendations on how to respond quickly to these vulnerabilities. Which of the following BEST describes how the security advisor should respond?

Options

  • AAssess the reliability of the information source, likelihood of exploitability, and impact to hosted
  • BHire an independent security consulting agency to perform a penetration test of the web servers.
  • CReview vulnerability write-ups posted on the Internet. Respond to management with a
  • DNotify all customers about the threat to their hosted data. Bring the web servers down into

Explanation

When a newly discovered vulnerability class is reported, the first step is a structured risk evaluation - assessing source credibility, exploitability, and business impact - before taking any reactive action. This avoids overreaction to unverified claims while ensuring genuine threats receive prompt attention.

Common mistakes.

  • B. Immediately hiring a penetration testing firm is premature and costly before the threat has been validated and scoped; penetration testing confirms exploitability but is not the first response step when basic triage has not yet occurred.
  • C. Relying solely on Internet write-ups for vulnerability information without assessing source credibility risks acting on inaccurate or incomplete data, which could lead to misdirected remediation efforts.
  • D. Taking web servers offline and notifying all customers before completing a risk assessment is a disproportionate response that causes unnecessary business disruption and reputational harm if the threat turns out to be overstated or inapplicable.

Concept tested. Vulnerability risk triage and response prioritization

Reference. https://www.first.org/cvss/specification-document

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice