A database administrator receives a call on an outside telephone line from a person who states that they
work for a well-known database vendor. The caller states there have been problems applying the newly
released vulnerability patch for their database system, and asks what version is being used so that they
can assist. Which of the following is the BEST action for the administrator to take?
A.
Thank the caller, report the contact to the manager, and contact the vendor support line to verify any
reported patch issues.
B.
Obtain the vendor’s email and phone number and call them back after identifying the number of
systems affected by the patch.
C.
Give the caller the database version and patch level so that they can receive help applying the patch.
D.
Call the police to report the contact about the database systems, and then check system logs for attack
attempts.
Explanation:
Impersonation is where a person, computer, software application or service pretends to be someone or
something it’s not. Impersonation is commonly non-maliciously used in client/server applications.
However, it can also be used as a security threat.
In this question, the person making the call may be impersonating someone who works for a well-known
database vendor. The actions described in this answer would mitigate the risk. By not divulging
information about your database system and contacting the vendor directly, you can be sure that you are
talking to the right people.Incorrect Answers:
B: Identifying the number of systems affected by the patch would involve divulging the version number to
the caller without being able to verify his identity.
C: Giving the caller the database version and patch level so that they can receive help applying the patch
would be divulging potentially sensitive information to someone without being able to verify their
identity. The version information could then be used for malicious purposes later especially if that version
of software has known vulnerabilities.
D: Calling the police to report the contact about the database systems, and then checking system logs for
attack attempts may be overkill. You don’t know that the caller is malicious. He may well be from the
vendor company. You just need a way to verify his identity.