CompTIA PenTest+ (PT0-001) — Question 30

A security assessor completed a comprehensive penetration test of a company and its networks and systems. During the assessment, the tester identified a vulnerability in the crypto library used for TLS on the company's intranet-wide payroll web application. However, the vulnerability has not yet been patched by the vendor, although a patch is expected within days. Which of the following strategies would BEST mitigate the risk of impact?

Answer options

• A. Modify the web server crypto configuration to use a stronger cipher-suite for encryption, hashing, and digital signing.
• B. Implement new training to be aware of the risks in accessing the application. This training can be decommissioned after the vulnerability is patched.
• C. Implement an ACL to restrict access to the application exclusively to the finance department. Reopen the application to company staff after the vulnerability is patched.
• D. Require payroll users to change the passwords used to authenticate to the application. Following the patching of the vulnerability, implement another required password change.

Correct answer: C

Explanation

The correct answer is C because restricting access to the finance department minimizes the exposure of the vulnerable application until a patch is available. Option A does not address the underlying vulnerability, while B and D focus on user behavior rather than mitigating access to the exposed system.