A company has hired a security administrator to maintain and administer Linux and Windowsbased systems. Written in the nightly report file is the followinG.
Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours
later the size has decreased considerably. Another hour goes by and the log files have shrunk in
size again.
Which of the following actions should the security administrator take?
A.
Log the event as suspicious activity and report this behavior to the incident response team
immediately.
B.
Log the event as suspicious activity,call a manager,and report this as soon as possible.
C.
Run an anti-virus scan because it is likely the system is infected by malware.
D.
Log the event as suspicious activity,continue to investigate,and act according to the site’s
security policy.
the correct answer is A Log the event as suspicious activity and report this behavior to the incident response team
immediately.
Wrong, its D
And what if there is no CSIRT?-..Answer is D