SY0-501 · Question #502
SY0-501 Question #502: Real Exam Question with Answer & Explanation
The correct answer is A: Restore lost data from a backup.. Following the containment and eradication of a security incident, the next crucial step in the incident response process is to restore system functionality and data integrity to normal operations.
Question
A systems administrator has isolated an infected system from the network and terminated the malicious process from executing. Which of the following should the administrator do NEXT according to the incident response process?
Options
- ARestore lost data from a backup.
- BWipe the system.
- CDocument the lessons learned.
- DDetermine the scope of impact.
Explanation
Following the containment and eradication of a security incident, the next crucial step in the incident response process is to restore system functionality and data integrity to normal operations.
Common mistakes.
- B. Wiping the system is generally part of the Eradication phase to remove all traces of the compromise, which occurs before the Recovery phase where data is restored.
- C. Documenting lessons learned is a post-incident activity that occurs after the recovery and verification of the system's operational status, not immediately after containment and eradication.
- D. Determining the scope of impact is part of the Identification phase, which typically happens much earlier in the incident response process, before containment and eradication.
Concept tested. Incident response process phases (recovery)
Reference. https://nvlpubs.nist.gov/nistpubs/specialpublications/nist.sp.800-61r2.pdf
Community Discussion
No community discussion yet for this question.