Certified Ethical Hacker (CEH v13) — Question 33

An organization suspects a persistent threat from a cybercriminal. They hire an ethical hacker, John, to evaluate their system security. John identifies several vulnerabilities and advises the organization on preventive measures. However, the organization has limited resources and opts to fix only the most severe vulnerability. Subsequently, a data breach occurs exploiting a different vulnerability. Which of the following statements best describes this scenario?

Answer options

• A. The organization is at fault because it did not fix all identified vulnerabilities.
• B. Both the organization and John share responsibility because they did not adequately manage the vulnerabilities.
• C. John is at fault because he did not emphasize the necessity of patching all vulnerabilities.
• D. The organization is not at fault because they used their resources as per their understanding.

Correct answer: A

Explanation

The correct answer is A because the organization made the choice to only fix the most severe vulnerability, which ultimately led to a data breach. While John provided recommendations, the organization had the final decision and responsibility for managing the vulnerabilities. The other options incorrectly distribute blame or absolve the organization of responsibility.