Question

A regional transportation and logistics company recently hired its first Chief Information Security Officer (CISO). The CISO's first project after onboarding involved performing a vulnerability assessment against the company's public facing network. The completed scan found a legacy collaboration platform application with a critically rated vulnerability. While discussing this issue with the line of business, the CISO learns the vulnerable application cannot be updated without the company incurring significant losses due to downtime or new software purchases.

Which of the following BEST addresses these concerns?

A. The company should plan future maintenance windows such legacy application can be updated as needed.
B. The CISO must accept the risk of the legacy application, as the cost of replacing the application greatly exceeds the risk to the company.
C. The company should implement a WAF in front of the vulnerable application to filter out any traffic attempting to exploit the vulnerability.
D. The company should build a parallel system and perform a cutover from the old application to the new application, with less downtime than an upgrade.

Answer 1

The company should implement a WAF in front of the vulnerable application to filter out any traffic attempting to exploit the vulnerability. This solution allows the company to mitigate the risk without incurring significant costs or downtime.

Step-by-step explanation:

The BEST option to address the concerns of the company regarding the legacy collaboration platform application with a critically rated vulnerability is Option C: The company should implement a WAF in front of the vulnerable application to filter out any traffic attempting to exploit the vulnerability.

A Web Application Firewall (WAF) can provide an additional layer of protection by inspecting and filtering traffic to the vulnerable application, preventing potential exploits. This solution allows the company to mitigate the risk without incurring significant costs or downtime.