Wayne has identified a vulnerable server that is part of his organization’s critical infrastructure but that is no longer supported by the vendor and for which no additional patches exist. Every time Wayne scans the server using his vulnerability scanner, the services on the device crash. What should Wayne do?

In most organization, Wayne’s next steps should be to document the exemption due to the criticality of the server and its extenuating circumstances. Removing the server from scans will prevent it from being effectively impacted by a denial-of-service attack each time a scan occurs, but this also means that compensating controls should be implemented if possible. Reporting the server as vulnerable and suggesting it be replaced does not remediate the server or protect it, and will continue to allow it to fail based on future scans. Disabling the device’s network connection will also cause a service outage. Insurance will not prevent service outages or protect the device.