Not all threats and vulnerabilities are the same, nor should they be treated with the same

level of response. For example, consider the following scenario.

A database server in your organization was implemented 14 years ago and stopped

being supported six years ago but serves an important process for a department of nine

people, who are its only users. Last week, you discovered a critical vulnerability that was

reported to the Common Vulnerabilities and Exposures (CVE) List

Links to an external site. https://cve.mitre.org/

. The vulnerability concerns the underlying database product, and no patches are

available to remediate the vulnerability.

What are some practical risk management techniques you could apply to the situation to

reduce risk to an acceptable level, providing access to the system for the small team

while limiting the access to everyone else?

What might you do to counter the threat of continued use of the system?