Question 70 (practice exam 12) (additional)

Containment Phase

The primary goal is to isolate and prevent the further spread or escalation of the security incident.

System Administrator Actions for Containment

Physically disconnecting the Ethernet cable, disabling unknown user accounts, and configuring firewall rules to block suspicious activities.

Difference between Containment and Eradication

Containment isolates and limits the incident, while eradication removes the root cause and restores systems.

Phase after Containment

Eradication phase.

Lessons Learned Phase

Involves documenting insights and enhancing processes for future incidents.

Preparation Phase

Involves preparing contact information, tools, and processes in advance.

Immediate Removal of Unknown User Account

Represents the Eradication phase.

Risk of Not Properly Containing Incident

Allowing the incident to spread or escalate, leading to more damage or compromising additional systems.