Because the system is mission critical and there is no patch and no vendor support, the best risk-reduction approach is to implement compensating controls. Compensating controls are specifically recommended when immediate remediation is not possible, and for legacy systems where patches may not exist.
The Sybex CySA+ Study Guide states this directly:
Exact extract (Sybex Study Guide): “Legacy systems may not have patches available, meaning that compensating controls may be the only option available.”
Secbay Press also explains that legacy systems may lack vendor support/updates and that mitigation strategies like compensating controls or isolation are essential to reduce risk:
Exact extract (Secbay Press): “Legacy systems may lack vendor support and updates, making mitigation strategies essential… Implement specific mitigation strategies for legacy systems, such as compensating controls or isolation.”
And Secbay provides a legacy-system compensating control case study showing exactly the kinds of controls mentioned in option D—segmentation/isolation, access controls, and enhanced monitoring/continuous monitoring:
Exact extract (Secbay Press): “Selected compensating controls, such as network segmentation, intrusion detection systems, and enhanced monitoring, to mitigate the risks…”
Why the other options are not “best” given the constraints:
A (Decommission immediately): may be ideal long-term, but conflicts with “mission critical” (and “immediately” is often unrealistic for business operations).
B (Block inbound/allow outbound): helps somewhat but is incomplete and can still allow command-and-control or exfiltration outbound; also doesn’t address restricted admin access/monitoring comprehensively.
C (WAF): useful only if this is specifically a web application exposure; the scenario says “legacy system” broadly. Compensating controls are the most complete and universally applicable choice.
References (CompTIA CySA+ CS0-003 documents / study guides used):
Chapple/Seidl, CompTIA CySA+ Study Guide (CS0-003): legacy systems may have no patches; compensating controls may be the only option
Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): legacy systems lack support/updates; use compensating controls or isolation
Secbay Press, CompTIA CySA+ Exam Prep Guide (CS0-003): compensating controls for legacy systems include segmentation/isolation and enhanced/continuous monitoring
Submit