An information security manager believes that a network file server was compromised by a hacker.
Which of the following should be the FIRST action taken?
A.
Unsure that critical data on the server are backed up.
B.
Shut down the compromised server.
C.
Initiate the incident response process.
D.
Shut down the network.
Explanation:
The incident response process will determine the appropriate course of action. If the data have
been corrupted by a hacker, the backup may also be corrupted. Shutting down the server is likely
to destroy any forensic evidence that may exist and may be required by the investigation. Shutting
down the network is a drastic action, especially if the hacker is no longer active on the network.