CompTIA Security+ (SY0-501) — Question 963

A Chief Information Officer (CIO) recently saw on the news that a significant security flaws exists with a specific version of a technology the company uses to support many critical application. The CIO wants to know if this reported vulnerability exists in the organization and, if so, to what extent the company could be harmed.
Which of the following would BEST provide the needed information?

Answer options

• A. Penetration test
• B. Vulnerability scan
• C. Active reconnaissance
• D. Patching assessment report

Correct answer: A

Explanation

A penetration test is the most effective method for simulating an attack on the system to identify vulnerabilities and assess the potential impact, making it the best choice. While a vulnerability scan can identify known weaknesses, it does not evaluate the exploitability or the potential harm, which is crucial in this scenario. Active reconnaissance focuses on gathering information without testing vulnerabilities, and a patching assessment report merely reviews applied updates without assessing security flaws.