An organization discovers a critical vulnerability on a public-facing database server. Extensive regression testing means the vendor patch cannot be applied for two weeks, and taking the server offline is not an option. Which of the following actions would BEST serve as a compensating control until the patch can be applied?
Configure the network firewall to allow database connections only from authorized application servers.
Perform a full operating-system upgrade to the latest major version.
Postpone routine database backups to free resources for testing.
Run a new vulnerability scan against the server to confirm the finding.
Configuring the firewall to restrict database traffic to only authorized application servers limits exposure of the vulnerable service and provides an equivalent layer of protection until the vendor patch can be tested and installed. This is the essence of a compensating control-an alternative safeguard that mitigates risk when the primary fix (patching) is temporarily unavailable. Re-scanning the host or delaying backups does not directly reduce the attack surface, and a major operating-system upgrade could introduce new issues without specifically addressing the flaw.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are some examples of compensating controls?
Open an interactive chat with Bash
Why is patching preferred over compensating controls?
Open an interactive chat with Bash
What are the risks of not patching vulnerabilities?