Suggested Answer:C🗳️
Once an intrusion into your organization's information system has been detected, the first action that needs to be performed is determining to what extent systems and data are compromised (if they really are), and then take action. This is the good old saying: "Do not cry wolf until you know there is a wolf for sure" Sometimes it smells like a wolf, it looks like a wolf, but it may not be a wolf. Technical problems or bad hardware might cause problems that looks like an intrusion even thou it might not be. You must make sure that a crime has in fact been committed before implementing your reaction plan. Information, as collected and interpreted through analysis, is key to your decisions and actions while executing response procedures. This first analysis will provide information such as what attacks were used, what systems and data were accessed by the intruder, what the intruder did after obtaining access and what the intruder is currently doing (if the intrusion has not been contained). The next step is to communicate with relevant parties who need to be made aware of the intrusion in a timely manner so they can fulfil their responsibilities. Step three is concerned with collecting and protecting all information about the compromised systems and causes of the intrusion. It must be carefully collected, labelled, catalogued, and securely stored. Containing the intrusion, where tactical actions are performed to stop the intruder's access, limit the extent of the intrusion, and prevent the intruder from causing further damage, comes next. Since it is more a long-term goal, eliminating all means of intruder access can only be achieved last, by implementing an ongoing security improvement process. Reference used for this question: ALLEN, Julia H., The CERT Guide to System and Network Security Practices, Addison-Wesley, 2001, Chapter 7: Responding to Intrusions (pages 271-289).
First glance, I see B except the question mentions "First" which suggests you must identify the issue. C is more closely aligned with identify, and the NEXT step after you know the issue is to contain it (B).
Hope this helps clear things up!
When a possible intrusion into your organization's information system has been detected, the first action that should be performed is to contain the intrusion. Containment aims to prevent the intruder from further accessing or damaging your system, limiting the scope of the breach, and protecting your data and resources.
The given answer C would be correct. Think about this from a logical standpoint step by step.
1. IDS goes off and says there is a possible intrusion.
-- ok great, could be a real threat or could be a false positive, right?
-- So you chose B. What system are you going to contain a potential intrusion to?
-- Ok so lets say you chose to take "System A" offline.
-- What if thats not the point of entry and not the only system compromised?
-- What is someone has persistent access via a network router and continuing to push malicious code to other systems?
Logically you need to follow:
1. IDS alarm
2. Determine if its actually an issue and to what extent. If its an actual intrution and not just a "possible" then continue on.
3. Attempt to contain and cut off access if needed or possible. Sometimes you have no clue where access could be originating from. Email link clicked so no web attack? Removable media? Through ISP network?
Long story short, you need to ensure the potential threat and intrusion is real and assess the situation before shutting systems down all willy nilly.
You're not understand the question. I mentions that "When a possible intrusion into your organization's information system has been detected". So an potential intrusion has been detect. You need to contain it first. B is right
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
e098e9c
7 months, 2 weeks agoStevovo123
1 year, 1 month agomejt
1 year, 9 months agonewpylong
2 years, 3 months agoJimmystra
2 years, 3 months agowico
2 years, 2 months agocatastrophie
2 years, 1 month agokmanb
1 year, 10 months agoswiggharo
10 months, 2 weeks agoAliyan
8 months, 1 week ago