CISSP-ISSAP · Question #21
You work as an Incident handling manager for Orangesect Inc. You detect a virus attack incident in the network of your company. You develop a signature based on the characteristics of the detected vir
The correct answer is A. Eradication. Eradication is correct because this phase focuses on removing the root cause of the incident - in this case, deploying the newly created virus signature to security tools (antivirus, IDS/IPS) to detect and eliminate all instances of the malware from the network. Why the distracto
Question
You work as an Incident handling manager for Orangesect Inc. You detect a virus attack incident in the network of your company. You develop a signature based on the characteristics of the detected virus. Which of the following phases in the Incident handling process will utilize the signature to resolve this incident?
Options
- AEradication
- BIdentification
- CRecovery
- DContainment
How the community answered
(30 responses)- A80% (24)
- B3% (1)
- C7% (2)
- D10% (3)
Explanation
Eradication is correct because this phase focuses on removing the root cause of the incident - in this case, deploying the newly created virus signature to security tools (antivirus, IDS/IPS) to detect and eliminate all instances of the malware from the network.
Why the distractors are wrong:
- Identification (B) is where you detect and analyze the incident and create the signature - the signature is produced here, not deployed.
- Containment (D) limits the spread of the incident (e.g., isolating infected systems) but doesn't remove the threat; it happens before eradication.
- Recovery (C) restores systems to normal operation after the threat is removed - it assumes eradication is already complete.
Memory tip: Think of the phases in order - Identify the threat → Contain the spread → Eradicate the cause → Recover systems. The signature is built during Identification and used during Eradication, just like you'd identify a disease before prescribing the cure.
Topics
Community Discussion
No community discussion yet for this question.