What would be the best course of action to follow?

A security analyst asks you to look at the traffic he has gathered, and you find several Push flags within the
capture. It seems the packets are sent to an unknown Internet Address (IP) that is not in your network from one
of your own IP addresses which is a financial database that is critical and must remain up and running 24×7.
This traffic was noticed in the middle of the day. What would be the best course of action to follow?

A security analyst asks you to look at the traffic he has gathered, and you find several Push flags within the
capture. It seems the packets are sent to an unknown Internet Address (IP) that is not in your network from one
of your own IP addresses which is a financial database that is critical and must remain up and running 24×7.
This traffic was noticed in the middle of the day. What would be the best course of action to follow?

A.
Shut off the Port to the database and start conducting computer forensics

B.
Let the connection stay up because you do not want to disrupt availability

C.
Contact the FBI or the US Secret Service to give guidance on what steps should be taken

D.
Block the IP address at the perimeter and create a bit level copy of the database server. Run antivirus scan
on the database and add to the IPS a rule to automatically block similar traffic.

Explanation:
Block the IP address at the perimeter and create a bit level copy of the database server.
Run antivirus scan on the database and add a rule to the IPS to automatically block similar traffic. It would also
be wise to add a rule on your perimeter gateway such as your firewall to block the suspected external IP
address. The following answers are incorrect: Contact the FBI or the US Secret Service to give guidance on
what steps should be taken? Before you scream that you are under attack, you must ensure that you are in fact
under attack and some losses has been suffered. The law enforcement authority might not be interested in your
case unless you have suffered losses. Let the connection stay up because you do not want to disrupt
availability? Although Availability is a great concerned, you must take action to ensure that information is not at
risk. Shut off the Port to the database and start conducting computer forensics?
Imposing a total shutdown on a critical database might cause more issue. You are not even sure what the
problem is at this stage. A series of PUSH flag indicates a transfer of data which might or might not be
malicious.
Experience working with indecent investigation. The book “Computer Forensics and Investigation”
by Thompson Learning.



Leave a Reply 0

Your email address will not be published. Required fields are marked *