nerdexam
Exams312-50V11Questions#809
EC-Council

312-50V11 · Question #809

312-50V11 Question #809: Real Exam Question with Answer & Explanation

The correct answer is C: Disconnect the email server from the network. The immediate first step when a server compromise is confirmed is containment - physically or logically isolating the affected system to stop the active breach from spreading or exfiltrating more data.

Information Security and Ethical Hacking Fundamentals

Question

Nedved is an IT Security Manager of a bank in his country. One day. he found out that there is a security bre ch to his company's email server based on analysis of a suspicious connection from the email server to an unknown IP Address. What is the first thing that Nedved needs to do before contacting the incident response team?

Options

  • ALeave it as it Is and contact the incident response team right away
  • BBlock the connection to the suspicious IP Address from the firewall
  • CDisconnect the email server from the network
  • DMigrate the connection to the backup email server

Explanation

The immediate first step when a server compromise is confirmed is containment - physically or logically isolating the affected system to stop the active breach from spreading or exfiltrating more data.

Common mistakes.

  • A. Leaving the server connected while contacting the IR team allows the attacker to continue the active breach, potentially exfiltrating more sensitive data during the delay.
  • B. Blocking the suspicious IP at the firewall is a partial mitigation only - the server itself remains on the network and may have additional backdoors or communicate with other attacker-controlled addresses.
  • D. Migrating traffic to a backup server does nothing to contain the compromised server, which remains active on the network and under attacker control.

Concept tested. Incident response containment - isolating a compromised system

Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf

Topics

#incident response#containment#breach response#network isolation

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 312-50V11 Practice