A company recently experienced a data breach due to an unpatched vulnerability in a public-facing web application. During the post-incident review, the IT risk manager notes that the vulnerability was identified by the vulnerability scanner six months ago but was not remediated because the patch required a critical database server restart. Which of the following is the BEST risk treatment decision to prevent a recurrence?
Trap 1: Ignore the vulnerability until the next maintenance window.
Ignoring would leave the system exposed.
Trap 2: Escalate the risk to senior management for acceptance.
Escalation without treatment action would not remediate the vulnerability.
Trap 3: Accept the risk based on the low likelihood of exploitation.
The likelihood is not low since exploitation occurred.
- A
Ignore the vulnerability until the next maintenance window.
Why wrong: Ignoring would leave the system exposed.
- B
Escalate the risk to senior management for acceptance.
Why wrong: Escalation without treatment action would not remediate the vulnerability.
- C
Implement a compensating control such as a web application firewall.
A WAF can block exploitation attempts until a proper patch can be applied.
- D
Accept the risk based on the low likelihood of exploitation.
Why wrong: The likelihood is not low since exploitation occurred.