An organization's intrusion prevention system (IPS) detected and blocked an unusually large number of external intrusion attempts within a 24-hour period. Which of the following should be the information security manager's FIRST course of action?
A.
Perform security assessments on Internet-facing systems.
B.
Identify the source and nature of the attempts.
B. Identify the source and nature of the attempts should be the information security manager's first course of action after an organization's intrusion prevention system (IPS) detected and blocked an unusually large number of external intrusion attempts within a 24-hour period. Identifying the source of the intrusion attempts, such as the IP addresses or domains involved, and the nature of the attempts, such as the types of attack vectors used, can help to determine the level of threat and the potential impact on the organization. This information can then be used to take appropriate defensive measures, such as blocking the IP addresses or domains involved, and hardening systems against the attack vectors used. The other options such as performing security assessments on Internet-facing systems, reviewing the server and firewall audit logs and reporting the issue to senior management are also important, but identifying the source and nature of the attempts should be the first step to take.
You do B by doing C (and vice versa). However, I think the question here is more about the purpose of the next steps, which is indeed identifying the source and nature of the events. It's an unfair question though, given the ambiguous answer options.
The question is what do you check to identify the source of attempts. Your first step is to review logs, then analyze and determine the nature.Reviewing server and firewall logs would precede any further analysis
Root cause analysis, i.e., identifying and analyzing the source will be the first recourse. Security assessments of internet-facing systems and reviewing server and firewall logs can support analysis of the depth and nature of problem, but only after identifying the source.
You are more than likely going to need to do C in order to achieve B so it seems a bit backwards HOWEVER... B could potentially be achieved WITHOUT digging through firewall logs.
So if we are being specific about it (which for once ISACA actually is) identifying the source and nature is top priority.
Trying to identify the nature of the attack does make more sense to me. The attack has been prevented so don't see the point in reviewing audit logs. Also, as a part of identifying the issue, one would check all types of logs.
I think the correct answer is C. The "first" action is to review and investigate the alerts/logs to understand the behavior of the intrusions. You identify by reviewing the logs to extract as much information as possible.
Would you, as an infosec manager, go and dig through FW logs or would you tell security team to do that, so you can get the bigger picture in the end?
Think like a manager!
Why review the logs when you already know what happened? Why not investigate? I'd go with B
upvoted 4 times
...
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Broesweelies
Highly Voted 1 year, 5 months agoJosef4CISM
Most Recent 3 days agoshervin2s
3 months, 3 weeks agoBisibaby
5 months agoCISSPST
9 months, 2 weeks agoAaronS1990
10 months, 2 weeks agoGoseu
12 months agorichck102
1 year agokaranvp
1 year agoDravidian
1 year, 2 months agoit_expert_cism
1 year, 4 months agoaokisan
1 year, 6 months agoD2D2
1 year, 7 months agog4g
1 year, 7 months agoEZPASS
1 year, 8 months agoAlexJacobson
5 months, 2 weeks agoZiggybooboo
1 year, 8 months agok4d4v4r
1 year, 9 months ago