What best accounts for WannaCry’s rapid global spread?
a) Vendors withheld AV signatures
b) It targeted only IoT devices
c) Admin credentials were stolen
d) A released patch wasn’t widely applied
e) It was an unpatchable zero-day

In the 2017 Equifax incident, which software was the vulnerable component?
a) Cisco IOS
b) Adobe Flash
c) Apache Struts
d) Oracle Database
e) Microsoft Exchange

Which option most accurately defines a “hotfix”?
a) Update that adds new features
b) Emergency update issued outside normal cycles
c) Firmware upgrade for hardware devices
d) Lab-only test build
e) Bundle of all prior updates

Pick the statement that correctly contrasts vulnerability management with patch management:
a) Patch management deploys fixes; vulnerability management finds and ranks weaknesses
b) Vulnerability management deploys patches; patch management finds flaws
c) They are identical processes
d) Patch management is hardware-only; vulnerability is software-only
e) Vulnerability management writes vendor patches

Why keep a rollback plan when patching?
a) To monitor compliance
b) To restore service if a patch destabilizes systems
c) To decide deployment order
d) To automate every patch
e) To document exceptions for regulators only

When an in-use system can’t be patched, which is a valid compensating control?
a) Ignore the issue until next cycle
b) Remove it from inventory
c) Segment the asset on the network
d) Defer indefinitely without review
e) Apply extra patches elsewhere

Which tool is a vulnerability scanner?
a) Jamf
b) Intune
c) WSUS
d) Nessus
e) SCCM

An “out-of-band” update is best represented by:
a) A Windows 7 service pack
b) A cumulative rollup including prior fixes
c) An emergency zero-day patch released off-cycle
d) A driver plus firmware bundle
e) A standard Patch Tuesday release

Roughly what was the financial settlement tied to Equifax’s breach?
a) $4 billion
b) $200 million
c) $10 billion
d) $700 million
e) $70 million

What is the main risk of trying to patch every system immediately?
a) Better alignment with business priorities
b) Higher coverage percentage
c) Reduced backlog only
d) Increased downtime and instability
e) Lower compliance rates by default

Which metric captures average time from patch release to deployment?
a) Coverage percentage
b) Exception ratio
c) Exploit likelihood
d) Mean Time to Patch (MTTP)
e) Compliance rate

During Log4j, what stymied many organizations most?
a) Regulators blocked patching
b) No patch existed for weeks
c) AV products blocked the fix
d) Finding all instances of Log4j across apps
e) Exploit code never emerged

Which is an example of an endpoint management platform?
a) CVSS
b) EPSS
c) KEV
d) Intune
e) Nessus

Why was NotPetya viewed as unusually destructive?
a) It demanded ransom with perfect, recoverable keys
b) State-sponsored intent to cause destruction
c) It focused on IoT only
d) It required no patch from Microsoft
e) It needed constant user interaction

Why are firmware updates frequently overlooked?
a) They are less critical than app updates
b) They install automatically without approval
c) Failed updates can brick hardware
d) They are always part of cumulative updates
e) They cannot be exploited remotely

Which single question best ties prioritization to business impact?
a) How many endpoints are affected?
b) Is exploit code public?
c) Is the system part of compliance reporting?
d) What is the CVSS score?
e) Does this system process sensitive or regulated data?

In patch management, “smoke testing” means:
a) Measuring long-term risk reduction
b) Verifying critical functions still work post-patch
c) Testing only firmware changes
d) Confirming exception records
e) Calculating coverage rates

Which choice best represents a sound exception process?
a) Skip low severity by default
b) Wait for the next service pack
c) Patch only when regulators demand it
d) Ignore vendor patches unless exploited
e) Document why a patch can’t be applied and add compensating controls

Which system forecasts near-term exploitation probability (about 30 days)?
a) CVSS
b) EPSS
c) KEV
d) SOX
e) VPR

What role does PatchPlan.io play?
a) It replaces scanners entirely
b) It auto-deploys all patches with no testing
c) It generates new vulnerabilities for testing
d) It prioritizes patching by analyzing scan data for risk and impact
e) It only does compliance reports

What was a key takeaway from the 2013 Target breach?
a) Only mobile devices require patching
b) Unpatched assets plus weak third-party security raise risk
c) Firmware updates are irrelevant in retail
d) AV signatures alone stop patch-related breaches
e) The incident was due to an unpatchable zero-day

Why is patching considered measurable?
a) Regulators publish fixed scores for patches
b) It applies only to Windows
c) Metrics are optional
d) Scanning verifies vulnerability counts and compliance
e) No business context is required

Which cultural factor most strongly drives patching success?
a) Outsourcing without oversight
b) Treating it as low-priority maintenance
c) Executive sponsorship with clear accountability
d) Hiding data to avoid tough conversations
e) Assigning patching only to junior staff

Which factor makes patch management a continuous rather than one-time effort?
a) Vendors issue patches only annually
b) Auditors constantly change regulations
c) New vulnerabilities are discovered almost every day
d) Cloud systems never need updates
e) Patches automatically apply without oversight

Why is testing patches before deployment critical?
a) To avoid compatibility issues and business disruption
b) To shorten compliance reporting cycles
c) To eliminate the need for rollback plans
d) To reduce patch file sizes
e) To improve vendor scoring accuracy

2025 CPMA Exam