After penetration testing, a vulnerability on a web server is identified and confirmed. Which of the following actions should be taken first?
A. Apply patches in time
B. Conduct change management
C. Conduct risk assessment
D. Conduct configuration management
Kindly be reminded that the suggested answer is for your reference only. It doesn’t matter whether you have the right or wrong answer. What really matters is your reasoning process and justifications.
My suggested answer is C. Conduct risk assessment.
Vulnerability is one of the major risk factors. Before taking any actions to respond to or conducting risk treatment, the risk should be assessed. There are three steps to assess risk in terms of ISO 31000 or ISO 27005:
- Risk identification
- Risk analysis
- Risk evaluation
Penetration testing can be part of risk identification and risk analysis. It depends on the extent to which the PenTesting report is prepared.
Risk is typically scored in terms of possibility and impact. “Tiny” risk may imply is not gonna happen, or the loss is as tiny as it can be accepted. Risk evaluation made a decision if the risk should be treated. Besides, the cost/benefit of risk treatment solutions should be considered.
Change management implies a “YES” for someone to do something or respond to risk. A request for change is required. It is then reviewed and evaluated by certain authority, e.g., a change control board.
Change Management and Configuration Management
Configuration management is about managing the configuration itself, while change management focuses on managing the change: the change request procedure, review & evaluation and approval & denial criteria and procedures, and monitoring the result and performance. Software components, hardware devices, or security settings are configurations; changes, e.g., applying patches, to those configurations need to be managed.
Moreover, there are various types of penetration testing. For example, A mystery guest performing a physical penetration test using social engineering skills broke into the computer room and found out the web server is not physically protected. Software patches won’t fix this vulnerability.