Following a quarterly vulnerability assessment, the security team's report lists several CVSS 9.8 flaws affecting Internet-facing web servers for which vendor patches are already available. When crafting the remediation action plan, what should be the analyst's FIRST recommendation?
Schedule mandatory user awareness sessions on web application security.
Deploy the available security patches to eliminate the critical vulnerabilities.
Pause the project until business stakeholders redefine hosting requirements for the servers.
Install compensating host-based firewalls and monitoring rules until patch windows are approved.
Applying vendor-supplied security patches directly removes the underlying vulnerabilities and closes attackers' most likely entry point, making it the preferred first step in an action plan for critical flaws. Compensating controls are appropriate only when a patch is unavailable or cannot be applied immediately. Awareness training and business-requirement reviews improve security posture but do not remediate the present high-risk weaknesses.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is patching prioritized over implementing compensating controls?
Open an interactive chat with Bash
What are compensating controls, and when are they implemented?
Open an interactive chat with Bash
How do awareness and training programs help in vulnerability management?