CompTIA CySA+ (CS0-003) — Question 275

A security analyst is conducting a vulnerability assessment of a company’s online store. The analyst discovers a critical vulnerability in the payment processing system that could be exploited, allowing attackers to steal customer payment information. Which of the following should the analyst do next?

Answer options

• A. Leave the vulnerability unpatched until the next scheduled maintenance window to avoid potential disruption to business.
• B. Perform a risk assessment to evaluate the potential impact of the vulnerability and determine whether additional security measures are needed.
• C. Ignore the vulnerability since the company recently passed a payment system compliance audit.
• D. Patch the vulnerability as soon as possible to ensure customer payment information is secure.

Correct answer: B

Explanation

The correct answer is B because performing a risk assessment is essential to understand the implications of the vulnerability and decide on necessary security measures. Leaving the vulnerability unpatched (A) or ignoring it due to a recent audit (C) undermines security, while patching it immediately (D) is important but should ideally follow a risk assessment to prioritize actions.