When a possible intrusion into your organization's information system has been detected, which of the following actions should be performed first?
When a possible intrusion into your organization's information system has been detected, which of the following actions should be performed first?
When a possible intrusion into an organization's information system is detected, the first action that should be performed is to contain the intrusion. Containing the threat prevents the intruder from further accessing or damaging the system, limits the scope of the breach, and protects data and resources. Once the intrusion is contained, further actions can be taken to determine the extent of the compromise and remediate the system.
B is correct. Why would you look to see what operations have been impacted if the threat is still ongoing?
That's what I thought too, but in order to contain the threat, you must know what parts have been compromised/impacted.
Idk, I am with Newpylong on this one. Everything I have ever seen in security was prioritizing B.
The given answer C would be correct. Think about this from a logical standpoint step by step. 1. IDS goes off and says there is a possible intrusion. -- ok great, could be a real threat or could be a false positive, right? -- So you chose B. What system are you going to contain a potential intrusion to? -- Ok so lets say you chose to take "System A" offline. -- What if thats not the point of entry and not the only system compromised? -- What is someone has persistent access via a network router and continuing to push malicious code to other systems? Logically you need to follow: 1. IDS alarm 2. Determine if its actually an issue and to what extent. If its an actual intrution and not just a "possible" then continue on. 3. Attempt to contain and cut off access if needed or possible. Sometimes you have no clue where access could be originating from. Email link clicked so no web attack? Removable media? Through ISP network? Long story short, you need to ensure the potential threat and intrusion is real and assess the situation before shutting systems down all willy nilly.
You're not understand the question. I mentions that "When a possible intrusion into your organization's information system has been detected". So an potential intrusion has been detect. You need to contain it first. B is right
Contain what? The whole system? Yes, you have to contain it first, but you got to find out which systems are affected first in order to contain it.
contain the whole segment
contain the whole segment
Contain what? The whole system? Yes, you have to contain it first, but you got to find out which systems are affected first in order to contain it.
contain the whole segment
contain the whole segment
You're not understand the question. I mentions that "When a possible intrusion into your organization's information system has been detected". So an potential intrusion has been detect. You need to contain it first. B is right
Contain what? The whole system? Yes, you have to contain it first, but you got to find out which systems are affected first in order to contain it.
contain the whole segment
contain the whole segment
Contain what? The whole system? Yes, you have to contain it first, but you got to find out which systems are affected first in order to contain it.
contain the whole segment
contain the whole segment
I think C is correct. We cannot contain the intrusion if we do not know the extent of it.
When a possible intrusion into your organization's information system has been detected, the first action that should be performed is to contain the intrusion. Containment aims to prevent the intruder from further accessing or damaging your system, limiting the scope of the breach, and protecting your data and resources.
First glance, I see B except the question mentions "First" which suggests you must identify the issue. C is more closely aligned with identify, and the NEXT step after you know the issue is to contain it (B). Hope this helps clear things up!