Scenario: During a network scan, you discover that numerous workstations are using outdated SSL protocols. What is the primary risk associated with this finding?

A.  Performance degradation

B.  Lack of support

C.  Vulnerability to attacks

D.  Increased operational cost

Answer:  C

Detailed Explanations

A. Performance Degradation

While it is true that modern protocols like TLS 1.3 are optimized for speed (requiring fewer "round-trips" during a handshake), performance is almost never the primary concern for a security professional.

• The Reality: Older SSL protocols are actually quite fast because they use weaker, less complex encryption. However, gaining a few milliseconds of speed at the cost of total data compromise is an unacceptable trade-off.

B. Lack of Support

"End of Life" (EOL) status is a significant administrative risk.

• The Consequence: If a protocol is no longer supported, it means the vendor will no longer release security patches for it.

• The Distinction: Lack of support is the cause, but the "Vulnerability to attacks" is the actualized risk. In the CISSP mindset, always look for the answer that identifies the direct threat to the CIA Triad (Confidentiality, Integrity, and Availability).

C. Vulnerability to Attacks

This is the correct answer because outdated protocols have known, documented cryptographic weaknesses.

• Why it's the Answer: Protocols like SSL 3.0 are vulnerable to specific exploits such as POODLE (Padding Oracle On Downgraded Legacy Encryption). These vulnerabilities allow attackers to perform Man-in-the-Middle (MitM) attacks, where they can intercept and decrypt traffic between the workstation and the server.

• The Evolution: SSL has been entirely superseded by TLS. Currently, anything below TLS 1.2 is considered a high-risk finding during a security audit or a vulnerability scan.

D. Increased Operational Cost

Maintaining legacy systems can be expensive because it requires specialized knowledge and can prevent the organization from adopting more efficient, modern technologies.

• The Context: While this is a valid business concern for the Business Impact Analysis (BIA), it does not represent the immediate technical danger that a vulnerability scanner is designed to identify.