When considering a vendor-specific vulnerability in critical industrial control systems which of the
following techniques supports availability?

A.
Deploying identical application firewalls at the border

B.
Incorporating diversity into redundant design

C.
Enforcing application white lists on the support workstations

D.
Ensuring the systems’ anti-virus definitions are up-to-date

Explanation:
If you know there is a vulnerability that is specific to one vendor, you can improve availability by
implementing multiple systems that include at least one system from a different vendor and so is not
affected by the vulnerability.
Incorrect Answers:
A: An application firewall is a form of firewall which controls input, output, and/or access from, to, or by
an application or service. It operates by monitoring and potentially blocking the input, output, or system
service calls which do not meet the configured policy of the firewall. We don’t know what the
vulnerability is but it’s unlikely that a firewall will prevent the vulnerability or ensure availability.
C: Application whitelisting is a form of application security which prevents any software from running on a
system unless it is included on a preapproved exception list. It does not prevent vendor-specific
vulnerability already inherent in the application, nor does it ensure availability.
D:
Antivirus software is used to protect systems against viruses, which are a form of malicious code
designed to spread from one system to another, consuming network resources. Ensuring the systems’
anti-virus definitions are up-to-date is always a good idea. However, a vendor specific vulnerability is
usually not caused by a virus.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis,
2014, pp. 161-162, 340