nerdexam
EC-Council

312-50V10 · Question #813

A post-breach forensic investigation revealed that a known vulnerability in Apache Struts was to blame for the Equifax data breach that affected 143 million customers. A fix was available from the sof

The correct answer is D. Patch management. The Equifax breach resulted from a known Apache Struts vulnerability that went unpatched for months despite an available fix, which is a direct failure of patch management.

Vulnerability Analysis

Question

A post-breach forensic investigation revealed that a known vulnerability in Apache Struts was to blame for the Equifax data breach that affected 143 million customers. A fix was available from the software vendor for several months prior 10 the Intrusion. This Is likely a failure in which of the following security processes?

Options

  • Avendor risk management
  • BSecurity awareness training
  • CSecure deployment lifecycle
  • DPatch management

How the community answered

(24 responses)
  • B
    4% (1)
  • C
    4% (1)
  • D
    92% (22)

Why each option

The Equifax breach resulted from a known Apache Struts vulnerability that went unpatched for months despite an available fix, which is a direct failure of patch management.

Avendor risk management

Vendor risk management addresses risks introduced by third-party suppliers and their products, not the internal failure to deploy an already-available software patch.

BSecurity awareness training

Security awareness training targets human behavior such as phishing susceptibility, not operational processes for maintaining system software currency.

CSecure deployment lifecycle

Secure deployment lifecycle (SDLC) governs how in-house software is designed, built, and released, not how externally supplied patches are applied to production systems.

DPatch managementCorrect

Patch management is the operational process of identifying known vulnerabilities, obtaining vendor-supplied fixes, and applying them to systems in a timely manner. Because a fix had been available for months before the intrusion, the failure to apply that patch is the root cause of the breach and is the direct responsibility of the patch management process.

Concept tested: Patch management failure and vulnerability remediation

Source: https://csrc.nist.gov/publications/detail/sp/800-40/rev-4/final

Topics

#patch management#vulnerability management#Apache Struts#data breach

Community Discussion

No community discussion yet for this question.

Full 312-50V10 Practice