History
- Priority
- should
- Nov 2018
- Removed
- Removed due to being better served as supporting information.
- 2017
- When patches are not available for security vulnerabilities, one or more of the followingapproaches must be implemented:• resolve the security vulnerability by either:– disabling the functionality associated with the security vulnerability– asking the vendor for an alternative method of managing the security vulnerability– moving to a different product with a more responsive vendor– engaging a software developer to resolve the security vulnerability.
- Control Text Changed. No public explaination.
- 2015
- When patches are not available for vulnerabilities, one or more of the following approachesmust be implemented:• resolve the vulnerability by either:– disabling the functionality associated with the vulnerability– asking the vendor for an alternative method of managing the vulnerability– moving to a different product with a more responsive vendor– engaging a software developer to resolve the vulnerability.
- 2010
- Where known vulnerabilities cannot be patched, or security patches are not available, agencies shouldimplement one or more of:• controls to resolve the vulnerability by either:– disabling the functionality associated with the vulnerability though product configuration– asking the vendor for an alternative method of managing the vulnerability– moving to a different product with a more responsive vendor– engaging a software developer to correct the software• controls to prevent exploitation of the vulnerability by either:– applying external input sanitisation (if an input triggers the exploit)– applying filtering or verification on the software output (if the exploit relates to an information disclosure)– applying additional access controls that prevent access to the vulnerability– configuring firewall rules to limit access to the vulnerable software• controls to contain the exploit by either:– applying firewall rules limiting outward traffic that is likely in the event of an exploitation– applying mandatory access control preventing the execution of exploitation code– setting file system permissions preventing exploitation code from being written to disk• controls to detect attacks by either:– deploying an IDS– monitoring logging alerts– using other mechanisms as appropriate for the detection of exploits using the known vulnerability.