An information security manager has been informed of a new vulnerability in an online banking application, and a patch to resolve this issue is expected to be released in the next 72 hours. Which of the following should the information security manager do FIRST?
When informed of a new vulnerability in an online banking application, the first step the information security manager should take is to perform a risk assessment. This allows them to understand the potential impact and likelihood of the vulnerability being exploited within the 72-hour window before the patch is available. Conducting a risk assessment provides crucial information on the criticality of the system, the sensitivity of the data, the existing security controls, and the potential consequences. This enables informed decision-making regarding the necessity and extent of any mitigating controls, the need to notify senior management, and other actions to manage and mitigate the risk effectively.
I also think it's C
Performing a risk assessment is crucial to understand the potential impact and likelihood of the vulnerability being exploited during the 72-hour window before the patch is available. This assessment will help the manager make informed decisions about whether to implement mitigating controls (A), notify senior management (D), and prioritize actions based on the level of risk associated with the vulnerability. A risk assessment will consider factors such as the criticality of the system, the sensitivity of the data, the existing security controls, and the potential consequences of the vulnerability being exploited. It will help determine if immediate mitigating controls are necessary or if other actions should be taken to reduce the risk while waiting for the patch.
C. Perform a risk assessment.
The FIRST thing the information security manager should do in response to the new vulnerability in the online banking application is to: B. Mitigate the risk by implementing temporary compensating controls. Since the patch to resolve the vulnerability is expected to be released in the next 72 hours, it is crucial to take immediate action to reduce the risk exposure. Implementing temporary compensating controls can help protect the application and its users until the official patch is available. These controls could include measures such as firewall rules, access restrictions, or additional monitoring to prevent potential exploitation of the vulnerability during the interim period. Once the patch is released, it can be applied to permanently address the vulnerability.
C. Perform a risk assessment. After the risk assessment, the information security manager will have the necessary information to determine if immediate mitigating controls are needed to temporarily protect against the vulnerability until the patch is released, whether a business impact analysis (BIA) should be conducted to understand the broader implications of the vulnerability, or if the situation warrants immediate notification of senior management due to its potential impact on the organization.
I guess first you need to evaluate the risks that this new vulnerability is genrating... then you implement controls, but only later to get clear that you have to implmement them because the risk level demands it...
Interesting how most of the people "enter panic mode" and go for mitigation instead of taking a step back to figure out what is the actual risk. How can you possibly mitigate it properly (let alone cost-effectively) if you don't know how big is the actual risk and haven't done BIA? Also, keep in mind that the question doesn't specify whether infosec manager is working for the company/bank whose application is being vulnerable.
The best response is C. Indeed, unless the online baking application is critical and the risk linked to the vulnerability is unacceptable, there is no need for any mitigating control.
I GO WITH C
C is correct answer - risk assessment leads to understanding how much risk is associated with the vulnerability and whether it warrants mitigation, acceptance, transference or avoidance. Then next steps would be decided.
Take that back : Here's a breakdown of the steps to take: Implement temporary compensating controls: Prioritize immediate actions to reduce the risk of exploitation while the patch is not yet available. Conduct a BIA: Assess the potential impact of the vulnerability on critical business processes and data assets. Conduct a risk assessment: Evaluate the likelihood and severity of the risk posed by the vulnerability. Develop a mitigation plan: Based on the BIA and risk assessment, develop a plan to address the vulnerability in the long term. Deploy the patch: Once the patch is available, deploy it to all affected systems. Verify patch installation: Validate that the patch has been successfully installed on all systems. Monitor for ongoing threats: Continuously monitor for new vulnerabilities and threats that could exploit the patched system.
he order of business impact analysis (BIA) and risk assessment depends on the specific organization and its risk management framework. However, there is a general consensus that BIA should be conducted first.
i think answer A is correct. We can add IPS rule while waiting for a patch.
on-line banking application, This is high risk and is a high likelihood to get attacked and has a vulnerability, risk assessment done. BIA takes time. Need to implement compensating controls.
sure only a. just need to straddle the 72h. no need for management info or risk assessment. first things first: close the gap. there risk wasn't identified before, so go to the exit point of the situation
If you choose Option A and I guess I will ask: how do you know the value of the threat and if the mitigating control measures cost is not more than the value or impact of the threat without RA? What gave you the assurance that you can’t transfer or ignore the threat of not significant with RA?
When informed of a new vulnerability in an online banking application, with a patch expected to be released in the next 72 hours, the information security manager's first action should be to implement mitigating controls. Option A, "Implement mitigating controls," is the most appropriate and immediate action to take. Mitigating controls can help minimize the risk and impact of the vulnerability until the patch is available and applied. These controls may include implementing temporary workarounds, configuring additional security measures, or adjusting access controls to limit potential exploitation of the vulnerability.
D is not as this is just vulnerability (not exploit yet) and not an incident.