During a penetration test, you determined several vulnerabilities within the client's network. If you were prioritizing the risks for remediation in the written report, which of the following would BEST guide your risk prioritization strategy?
Rank vulnerabilities by the ease and speed of implementing their fixes.
Prioritize vulnerabilities based on the combination of their likelihood of exploitation and potential business impact.
Order vulnerabilities solely by their severity ranking from a vulnerability scanning tool.
Organize the priorities based on the frequency of exploits for the vulnerabilities observed in recent threat intelligence reports.
The most accurate strategy for risk prioritization involves combining the likelihood of exploitation with the potential impact on the business. While all answers could somewhat guide the prioritization, the best method is the one that takes into account both how likely the vulnerability is to be exploited and what the consequences of that exploitation would be. This allows for a balanced approach that prioritizes the most significant risks. Simple ranking by severity may not account for the business context, ordering by ease of fix might let critical vulnerabilities remain unaddressed for longer, and prioritizing based on recent trends in exploits could overlook major vulnerabilities that haven't been exploited recently but pose a significant risk.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What does 'likelihood of exploitation' mean in the context of vulnerability assessment?
Open an interactive chat with Bash
How do you determine the 'potential business impact' of a vulnerability?
Open an interactive chat with Bash
What is the difference between 'severity ranking' and 'risk prioritization' in vulnerability management?