nerdexam
ExamsCAS-002Questions#102
CompTIA

CAS-002 · Question #102

CAS-002 Question #102: Real Exam Question with Answer & Explanation

The correct answer is A: The company does not have an adequate test environment to validate the impact of the. Without a test environment, the company cannot validate whether a third-party patch causes system instability or introduces new vulnerabilities before deploying it to production.

Question

The Chief Information Officer (CIO) of Company XYZ has returned from a large IT conference where one of the topics was defending against zero day attacks specifically deploying third party patches to vulnerable software. Two months prior, the majority of the company systems were compromised because of a zero day exploit. Due to budget constraints the company only has operational systems. The CIO wants the Security Manager to research the use of these patches. Which of the following is the GREATEST concern with the use of a third party patch to mitigate another un-patched vulnerability?

Options

  • AThe company does not have an adequate test environment to validate the impact of the
  • BThe third party patch may introduce additional unforeseen risks and void the software
  • CThe company's patch management solution only supports patches and updates released
  • DAnother period of vulnerability will be introduced because of the need to remove the third

Explanation

Without a test environment, the company cannot validate whether a third-party patch causes system instability or introduces new vulnerabilities before deploying it to production.

Common mistakes.

  • B. Voiding a software warranty is a legitimate concern but is secondary to the direct operational and security risk of deploying an untested patch onto live production systems with no rollback environment.
  • C. A limitation in the patch management tooling is a logistical obstacle, but the fundamental greatest risk is the inability to test the patch before it affects production - not the tool's compatibility.
  • D. A temporary vulnerability window during patch application is a manageable, time-bounded risk compared to the open-ended risk of running an unvalidated patch on production systems.

Concept tested. Third-party patch risk management and test environment dependency

Reference. https://csrc.nist.gov/publications/detail/sp/800-40/rev-3/final

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full CAS-002 Practice