A scan report returned multiple vulnerabilities affecting several production servers that are mission critical. Attempts to apply the patches in the development environment have caused the servers to crash. What is the BEST course of action?
Correct Answer: C
The best course of action for the situation where a scan report returned multiple vulnerabilities affecting several production servers that are mission critical, and where attempts to apply the patches in the development environment have caused the servers to crash, is to mitigate the risks with compensating controls. A vulnerability is a type of weakness or flaw in a system or a network, such as a production server, that can be exploited or leveraged by a threat or an attacker, to cause harm or damage to the system or the network, or to compromise the security, functionality, or usability of the system or the network. A vulnerability can be identified or discovered by various methods, such as a scan report, which is a document or a tool that provides the information or the data about the vulnerabilities that are found or detected on a system or a network, using various techniques, such as vulnerability scanning or penetration testing. A vulnerability can be remediated or resolved by various methods, such as a patch, which is a piece or a unit of software or code that is applied or installed on a system or a network, to fix or correct the vulnerability, and to improve the security, performance, or reliability of the system or the network. A patch can be tested or verified by various methods, such as a development environment, which is a type of setting or configuration that is used or created for developing, testing, or validating the software or code, such as a patch, before applying or installing it on a production environment, which is a type of setting or configuration that is used or created for running or operating the software or code, such as a system or a network, that is mission critical, which means that it is essential or vital for the functioning or operation of the organization or the business. A patch can also cause or introduce various problems or issues, such as a crash, which is a type of failure or malfunction that occurs on a system or a network, and that causes the system or the network to stop or terminate unexpectedly or abnormally, and to lose or corrupt the data or the information. A risk is a type of uncertainty or possibility that a threat or an attacker can exploit or leverage a vulnerability, and that can cause harm or damage to the system or the network, or to the organization or the business. A risk can be managed or handled by various methods, such as a control, which is a type of measure or action that is implemented or performed on a system or a network, to prevent or mitigate the risk, and to achieve the objectives or goals of the system or the network, or of the organization or the business. A control can be classified into various types, such as a compensating control, which is a type of control that is implemented or performed as an alternative or a substitute for the primary or the original control, such as a patch, that is not available, feasible, or effective, and that provides the equivalent or comparable level of protection or mitigation for the system or the network, or for the organization or the business. Mitigating the risks with compensating controls is the best course of action for the situation where a scan report returned multiple vulnerabilities affecting several production servers that are mission critical, and where attempts to apply the patches in the development environment have caused the servers to crash, as it can provide the benefits of both patching and testing, such as security, performance, or reliability, and as it can avoid or reduce the problems or issues, such as crash, loss, or corruption.