Chapter 30 Β· Tricks & Performance

Trick Questions & Performance Tasks

The OS vulnerability misconceptions that catch students off guard on the exam.

⚠️ Think before you reveal.

🎯 Trick 1 β€” "No Exploits Yet" Means No Urgency

"If no exploits exist yet for a newly disclosed OS vulnerability, there is no urgent need to patch." True or False?

FALSE.

The moment a patch is released, the vulnerability is publicly disclosed. Attackers begin reverse engineering the patch immediately to identify the exact flaw. Exploit development time after patch release has shrunk dramatically β€” some exploits appear within 24 hours, others within a week. "No known exploits yet" describes the situation at the moment of disclosure β€” not 48 hours later. The correct response to a newly disclosed vulnerability is to assess its severity and patch as quickly as safely possible. Waiting for exploits to appear before treating a patch as urgent means the exploit will arrive before the patch.

🎯 Trick 2 β€” "Patch Installed" Means Fully Protected

"A system that shows 'Patch Installed' in the management console is fully protected by that patch." True or False?

FALSE.

"Installed" and "protected" are different states for many OS patches. Core OS patches β€” kernel updates, driver changes, security subsystem modifications β€” install their files to disk but the old, vulnerable code continues to run in memory until the system restarts. A machine in the "installed, restart pending" state has downloaded and staged the patch but is not yet protected. Patch management dashboards that show only installation status β€” not restart status β€” present a false picture of the security posture. Always track restart-pending separately.

🎯 Trick 3 β€” Zero-Days Are Less Dangerous Than Known Vulnerabilities

"Zero-day vulnerabilities are less dangerous than known vulnerabilities because attackers haven't had time to develop exploits." True or False?

FALSE β€” the opposite is true.

A zero-day vulnerability is more dangerous precisely because no patch exists. For a known vulnerability with a patch, the organization has a clear, direct action available: apply the patch. For a zero-day, there is no patch to apply β€” the organization can only implement compensating controls (disable the feature, add network restrictions, increase monitoring) while waiting for the vendor. Additionally, zero-days discovered in the wild are often already being actively exploited by the attackers who found them, before the vendor even knows. The absence of a patch makes zero-days the highest-urgency category.

🎯 Trick 4 β€” Delaying Patches Always Reduces Risk

"Delaying patches until thorough testing is complete always reduces risk." True or False?

FALSE.

Delaying patches reduces the risk of a compatibility-induced outage β€” but increases the risk of exploitation during the delay. These two risks must be balanced, not simply minimized on one side. For a critical RCE vulnerability being actively exploited in the wild, the risk of remaining unpatched for 30 days far exceeds the risk of a compatibility issue. For a low-severity informational patch with no known exploits, a longer testing window is appropriate. Risk-based patch prioritization β€” deploying critical patches urgently while giving lower-severity patches more testing time β€” is the correct approach. A uniform delay policy applied to all patches regardless of severity is a policy that will, at some point, leave a critical vulnerability unpatched while attackers actively exploit it.

🎯 Performance Task β€” Patch Tuesday Deployment Strategy

Your organization has 500 Windows endpoints across three office locations. It is Patch Tuesday and Microsoft has released 43 patches, including 3 rated Critical (all Remote Code Execution vulnerabilities with CVSS scores above 9.0) and 40 rated Important or Moderate. You have a staging environment of 20 machines, a pilot group of 50, and the IT team is worried about a recent patch that broke a third-party HR application last quarter. Describe your patch deployment strategy for this month.

Step 1 β€” Triage by severity: Separate the 3 Critical RCE patches from the 40 lower-severity patches. Critical patches with CVSS 9.0+ and active exploitation potential require an accelerated timeline. Lower-severity patches can follow the standard staged timeline.

Step 2 β€” Critical patches β€” accelerated path: Deploy the 3 Critical RCE patches to the staging environment immediately (Day 0). Focus testing on the HR application and any other known-sensitive integrations from last quarter's incident. If no issues appear after 24–48 hours, push to the pilot group. If the pilot group is clear after another 24 hours, push to all 500 endpoints. Target: Critical patches deployed within 3–5 days of Patch Tuesday.

Step 3 β€” Lower-severity patches β€” standard path: Deploy all 40 remaining patches to staging on Day 1–2. Run full compatibility testing over 5–7 days. Pilot rollout after compatibility is confirmed. Full deployment over the following week.

Step 4 β€” Reboot management: Identify which patches require reboots. Schedule maintenance windows for each office location β€” outside business hours. Track restart-pending status separately from installation status in the patch management console. Do not mark endpoints as protected until both "installed" and "restarted" are confirmed.

Step 5 β€” HR application risk: Given last quarter's incident, include the HR application as a specific test case in Stage 2 before any patch is promoted to production. If a patch conflicts with the HR application, exclude it from the current rollout, document the exclusion, notify the HR vendor, and re-assess when a fix is available.

Step 6 β€” Backup before deployment: Verify that system images or recovery snapshots exist for all 500 endpoints, taken within 24 hours of Patch Tuesday. This ensures a rollback path if a patch causes unexpected production issues.

Outcome: Critical RCE vulnerabilities patched within 3–5 days β€” minimizing the exploit window. Lower-severity patches deployed within 10–14 days β€” with proper testing. HR application protected by a specific compatibility test. Fallback available for all systems.