EC-Council
312-50V10 · Question #75
312-50V10 Question #75: Real Exam Question with Answer & Explanation
The correct answer is C. Containment. Disconnecting a compromised system from the network and powering it down are classic containment actions - limiting the spread or impact of an incident without yet removing the threat or restoring operations.
Information Security and Ethical Hacking Fundamentals
Question
It has been reported to you that someone has caused an information spillage on their computer. You go to the computer, disconnect it from the network, remove the keyboard and mouse, and power it down. What step in incident handling did you just complete?
Options
- ADiscovery
- BRecovery
- CContainment
- DEradication
Explanation
Disconnecting a compromised system from the network and powering it down are classic containment actions - limiting the spread or impact of an incident without yet removing the threat or restoring operations.
Common mistakes.
- A. Discovery is the phase where the incident is first identified or reported, which had already occurred before these actions were taken.
- B. Recovery involves restoring systems to normal operation after the threat has been removed, not isolating the affected machine.
- D. Eradication is the phase where the root cause (malware, unauthorized account, etc.) is actively removed from the environment.
Concept tested. Incident response containment phase
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
#incident handling#containment#information spillage#incident response
Community Discussion
No community discussion yet for this question.