Three similar production servers underwent a vulnerability scan. The scan results revealed that the three servers had two different vulnerabilities rated “Critical”.
The administrator observed the following about the three servers:
The servers are not accessible by the Internet
AV programs indicate the servers have had malware as recently as two weeks ago
The SIEM shows unusual traffic in the last 20 days
Integrity validation of system files indicates unauthorized modifications
Which of the following assessments is valid and what is the most appropriate NEXT step? (Select TWO).
A. Servers may have been built inconsistently
B. Servers may be generating false positives via the SIEM
C. Servers may have been tampered with D. Activate the incident response plan
E. Immediately rebuild servers from known good configurations
F. Schedule recurring vulnerability scans on the servers
CS0-002: CompTIA CySA+ ExamFULL Printable PDF and Software. VALID exam to help you PASS. |
Correct answer should be C followed by D.
A. Servers may have been built inconsistently – incorrect, all three servers show the same two vulnerabilities.
B. Servers may be generating false positives via the SIEM – unlikely, due to the malware reports.
C. Servers may have been tampered with – confirmed, as “Integrity validation of system files indicates unauthorized modifications”
D. Activate the incident response plan – Events establish that potential Incident has occurred, time to follow incidence response plan.
E. Immediately rebuild servers from known good configurations – this would prevent confirmation of damage done, and destroy forensic information
F. Schedule recurring vulnerability scans on the servers – ineffective to control current incident.
if you rebuild immediately how collect data for investiagtion (assuming it’s required)?