Certified Ethical Hacker (CEH v12) — Question 142

An organization suspects a persistent threat from a cybercriminal. They hire an ethical hacker, John, to evaluate their system security. John identifies several vulnerabilities and advises the organization on preventive measures. However, the organization has limited resources and opts to fix only the most severe vulnerability. Subsequently, a data breach occurs exploiting a different vulnerability. Which of the following statements best describes this scenario?

Answer options

• A. The organization is at fault because it did not fix all identified vulnerabilities.
• B. Both the organization and John share responsibility because they did not adequately manage the vulnerabilities.
• C. John is at fault because he did not emphasize the necessity of patching all vulnerabilities.
• D. The organization is not at fault because they used their resources as per their understanding.

Correct answer: A

Explanation

The correct answer is A because the organization had a duty to address all identified vulnerabilities to ensure security. By only fixing the most severe one, they left themselves exposed to other risks, leading to the breach. Options B and C incorrectly assign blame to John or imply shared responsibility when the organization alone made the final decision. Option D is incorrect as it does not absolve the organization from the responsibility of addressing known vulnerabilities.