A Company security System Administrator is reviewing the network system log files. He notes the following:
– Network log files are at 5 MB at 12:00 noon.
– At 14:00 hours, the log files at 3 MB.
What should he assume has happened and what should he do about the situation?
A.
He should contact the attacker’s ISP as soon as possible and have the connection disconnected.
B.
He should log the event as suspicious activity, continue to investigate, and take further steps according to site security policy.
C.
He should log the file size, and archive the information, because the router crashed.
D.
He should run a file system check, because the Syslog server has a self correcting file system problem.
E.
He should disconnect from the Internet discontinue any further unauthorized use, because an attack has taken place.
Explanation:
You should never assume a host has been compromised without verification. Typically, disconnecting a server is an extreme measure and should only be done when it is confirmed there is a compromise or the server contains such sensitive data that the loss of service outweighs the risk. Never assume that any administrator or automatic process is making changes to a system. Always investigate the root cause of the change on the system and follow your organizations security policy.
Correct answer is B