312-50V10 · Question #813
A post-breach forensic investigation revealed that a known vulnerability in Apache Struts was to blame for the Equifax data breach that affected 143 million customers. A fix was available from the sof
The correct answer is D. Patch management. The Equifax breach resulted from a known Apache Struts vulnerability that went unpatched for months despite an available fix, which is a direct failure of patch management.
Question
A post-breach forensic investigation revealed that a known vulnerability in Apache Struts was to blame for the Equifax data breach that affected 143 million customers. A fix was available from the software vendor for several months prior 10 the Intrusion. This Is likely a failure in which of the following security processes?
Options
- Avendor risk management
- BSecurity awareness training
- CSecure deployment lifecycle
- DPatch management
How the community answered
(24 responses)- B4% (1)
- C4% (1)
- D92% (22)
Why each option
The Equifax breach resulted from a known Apache Struts vulnerability that went unpatched for months despite an available fix, which is a direct failure of patch management.
Vendor risk management addresses risks introduced by third-party suppliers and their products, not the internal failure to deploy an already-available software patch.
Security awareness training targets human behavior such as phishing susceptibility, not operational processes for maintaining system software currency.
Secure deployment lifecycle (SDLC) governs how in-house software is designed, built, and released, not how externally supplied patches are applied to production systems.
Patch management is the operational process of identifying known vulnerabilities, obtaining vendor-supplied fixes, and applying them to systems in a timely manner. Because a fix had been available for months before the intrusion, the failure to apply that patch is the root cause of the breach and is the direct responsibility of the patch management process.
Concept tested: Patch management failure and vulnerability remediation
Source: https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final
Topics
Community Discussion
No community discussion yet for this question.