An employee clicked on a link in a phishing email, triggering a ransomware attack. Which of the following should be the information security manager's FIRST step?
D is correct answer - notify senior mgmt.
Remember this is a CISManager exam so you would manage the situation both up (to senior mgmt) and down (secops engineers).
B. Isolate the impacted endpoints.
Isolating the impacted endpoints should be the information security manager's FIRST step upon discovering that a ransomware attack has been triggered by an employee clicking on a link in a phishing email. This action is essential to prevent the ransomware from spreading further across the organization's network, thereby containing the attack and minimizing potential damage. Isolating affected systems helps in protecting unaffected resources and is a critical step in managing and mitigating the incident effectively.
While senior management's involvement and guidance are essential, especially in handling communications, legal considerations, and overarching organizational responses, the urgency of containing the ransomware attack to minimize its impact dictates that notifying senior management should follow after initial containment efforts have been initiated. This approach aligns with incident response best practices that prioritize immediate actions to secure the organization’s IT environment.
D is the best choice, you have to come in terms to define the function of an information security manger, this is managerial position not operation position, if it was CASP+, GIAC, B will be the answer
Report to management first is the correct step even if it does look not a smartest way. In real life, just inform the management first, and another second later, give a call to the IT supervisor to quarantine the PC/whole VLAN/whole network segment. Cut the connections between operations and backup storage links (normally, should always have an airgap)
Manager Himself doesnt do operational work(eg isolate endpoints etc).
Also, if the ransomware happened, is too late to deal with endpoints. Now is time to deal with the request hence D, notify the big guys
Knowing the meaning of the Ransome attack might help. The Ransome attack has already gone beyond containment it already involves payment, and a decision needs to be made
Ransomware is a type of malware that locks and encrypts a victim's data, files, devices or systems, rendering them inaccessible and unusable until the attacker receives a ransom payment
1 pc is locked, i need to FIRST isolate it from the network.
While it's tempting to pick B (isolate), you have to remember that this is management level exam (similar to CISSP). This means you don't touch anything, only consult, advise, steer... While it is absolutely correct that the next thing you do upon confirming the incident is to contain it (in this case, isolate the affected endpoints), as a infosec manager you don't do that, you go ahead and inform management. So D, in my opinion.
ISACA emphasizes the importance of promptly notifying senior management about security incidents to ensure appropriate decision-making, resource allocation, and coordination of response efforts. Senior management needs to be informed early on to understand the potential impact of the incident, assess the organization's risk exposure, and authorize necessary actions.
Yes, they do that in the Review Manual, yet in their Sample questions, they first want you to contain, inform the data owners, and then senior management. Refer Qs 96 & 103 (10th Ed). They even go ahead and say that senior management should only be informed if the impact is critical. It sucks what they do to our gullible minds, but well.... the answer is A (??) :).
he will not be doing the isolation himself, but instead instructing his direct reports to do it. From there he will reach out to management. But simply not telling their analyst to stop it will allow the problem to go unabated.
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
kokh94
3 months, 2 weeks agoEltooth
4 months, 1 week agohelg420
6 months, 2 weeks agonuel_12
7 months, 2 weeks agoThavee
7 months, 3 weeks agocidigi
8 months, 1 week agoxcjxcj
8 months, 3 weeks agoCCIEBYDEC
9 months, 1 week agoxcjxcj
8 months, 3 weeks agoAlexJacobson
10 months agowello
1 year, 5 months ago[Removed]
1 year, 4 months agoCISSPST
1 year, 2 months agoCISSPST
1 year, 1 month agorichck102
1 year, 5 months agoNaijaboy
1 year, 6 months agoDravidian
1 year, 7 months agodark_3k03r
1 year, 6 months agoAntonivs
1 year, 9 months ago