A security assessor completed a comprehensive penetration test of a company and its networks and systems.
During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company’s intranet-wide payroll web application.
However, the vulnerability has not yet been patched by the vendor, although a patch is expected within days.
Which of the following strategies would BEST mitigate the risk of impact?
A . Modify the web server crypto configuration to use a stronger cipher-suite for encryption, hashing, and digital signing.
B . Implement new training to be aware of the risks in accessing the application. This training can be decommissioned after the vulnerability is patched.
C . Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched.
D . Require payroll users to change the passwords used to authenticate to the application. Following the patching of the vulnerability, implement another required password change.
Answer: C
Leave a Reply