When a zero-day vulnerability is reported, what is the best initial action to identify affected systems?

The best initial action to identify affected systems when a zero-day vulnerability is reported is to check systems for affected version numbers. This approach allows organizations to quickly assess which systems may be at risk based on the specific versions of software or applications in use. By knowing the version numbers of installed software, security teams can determine if they are utilizing a version that has the reported vulnerability.

This step is critical because it enables a focused assessment without the need for exhaustive scanning processes, which can be time-consuming. It allows for rapid identification of potentially vulnerable systems, facilitating timely remediation efforts before further exploitation can occur.

The other options, while potentially useful in broader vulnerability management practices, do not provide the immediate clarity needed in response to a zero-day incident. Conducting a comprehensive vulnerability scan may take time and may not be necessary if specific version knowledge is available. Checking the CVE database for patches is an important follow-up action once affected systems have been identified; however, it does not directly assist in pinpointing which systems are impacted. Creating custom IDS or IPS signatures is also a reactive measure that comes after identifying vulnerable systems and understanding the nature of the threat, rather than a proactive assessment step.