There is a time lag between the time when a security vulnerability is first published, and the time
when a patch is delivered. Which of the following should be carried out FIRST to mitigate the risk
during this time period?

A.
Identify the vulnerable systems and apply compensating controls

B.
Minimize the use of vulnerable systems

C.
Communicate the vulnerability to system users

D.
Update the signatures database of the intrusion detection system (IDS)

Explanation:

The best protection is to identify the vulnerable systems and apply compensating controls until a
patch is installed. Minimizing the use of vulnerable systems and communicating the vulnerability to
system users could be compensating controls but would not be the first course of action. Choice D
does not make clear the timing of when the intrusion detection system (IDS) signature list would
be updated to accommodate the vulnerabilities that are not yet publicly known. Therefore, this
approach should not always be considered as the first option.