Question 70 (practice exam 12) (additional)

Q: What is the primary goal of the containment phase during an incident response process? A: To isolate and prevent the further spread or escalation of the security incident.

Q: In the given scenario, what actions did the system administrator take to contain the suspicious activity? A: Physically disconnected the Ethernet cable on the database server, disabled the unknown user account, and configured a firewall rule to block file transfers from the server.

Q: How does the containment phase differ from the eradication phase in incident response? A: Containment focuses on isolating and limiting the incident, while eradication involves removing the root cause and restoring systems to a non-compromised state.

Q: What phase of the incident response process typically occurs after the containment phase? A: Eradication.

Q: Which phase of the incident response process involves documenting lessons learned and improving processes for future incidents? A: Lessons learned.

Q: During which phase of the incident response process are contact information, tools, and processes prepared in advance? A: Preparation.

Q: If the system administrator had immediately attempted to remove the unknown user account and restore the database server, which phase would that represent? A: Eradication.

Q: What is the potential risk of not properly containing a security incident before attempting eradication or recovery? A: Allowing the incident to further spread or escalate, potentially causing more damage or compromising additional systems.