A web server in a financial institution that has been compromised using a super-user account has
been isolated, and proper forensic processes have been followed. The next step should be to:
A.
rebuild the server from the last verified backup.
B.
place the web server in quarantine.
C.
shut down the server in an organized manner.
D.
rebuild the server with original media and relevant patches.
Explanation:
The original media should be used since one can never be sure of all the changes a super-user
may have made nor the timelines in which these changes were made. Rebuilding from the lastknown verified backup is incorrect since the verified backup may have been compromised by the
super-user at a different time. Placing the web server in quarantine should have already occurred
in the forensic process. Shut down in an organized manner is out of sequence and no longer a
problem. The forensic process is already finished and evidence has already been acquired.