312-50V13 · Question #204
312-50V13 Question #204: Real Exam Question with Answer & Explanation
The correct answer is C: Disconnect the email server from the network. Upon detecting a suspicious connection indicating a security breach, the immediate first step is to disconnect the compromised system from the network to contain the threat.
Question
Nedved is an IT Security Manager of a bank in his country. One day. he found out that there is a security breach to his company's email server based on analysis of a suspicious connection from the email server to an unknown IP Address. What is the first thing that Nedved needs to do before contacting the incident response team?
Options
- ALeave it as it Is and contact the incident response team right away
- BBlock the connection to the suspicious IP Address from the firewall
- CDisconnect the email server from the network
- DMigrate the connection to the backup email server
Explanation
Upon detecting a suspicious connection indicating a security breach, the immediate first step is to disconnect the compromised system from the network to contain the threat.
Common mistakes.
- A. Leaving the compromised server connected and merely contacting the incident response team allows the breach to continue and potentially worsen, violating the principle of containment.
- B. Blocking the connection at the firewall is a good partial containment measure, but disconnecting the server directly offers a more complete and immediate isolation, as other vectors or bypasses might exist.
- D. Migrating to a backup server does not address the ongoing compromise of the original email server and could potentially spread the infection if the backup is also connected or if the migration process is insecure.
Concept tested. Incident response containment strategy
Reference. https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
Topics
Community Discussion
No community discussion yet for this question.