Exam SY0-601 topic 1 question 474 discussion

For those who are also confused by Comptia's weird phrasing, and also confused by all the copy and paste Chatgpt answers.. this is how a human brain rationalised between B & D. Imo it is not D. Containment as it does not make sense to start containment only after identifying the root cause of an incident. You contain affected network devices as soon as possible/ immediately to prevent further spread in the network REGARDLESS of whether you have identified the root cause. Furthermore, containment does not directly "help to avoid future incidents from occuring" does it? Do B. lessons learned is the answer.

Lessons learned is a process of identifying and analyzing the root cause of a security incident, and then developing and implementing recommendations to prevent similar incidents from happening in the future. Containment (option D) is the process of stopping a security incident from spreading and causing further damage. This is an important step in responding to a security incident, but it is not a preventive measure.

Finding the root cause of the problem and eradicating it is done in the 4th phase of an Incident response plan. Recovery and Lessons learned are the next 2 steps to be done. https://www.securitymetrics.com/blog/6-phases-incident-response-plan

B. Lessons learned

B is make sence, the root reason is identified already and also he is asking about future incidents not current one. It is Lesson Learned.

If you find out that you did not change your default password, you change your password immediately. This is considered containment. Later in the Lessons learned stage, you will document the process, to change the default password. The answer is D.

Containment is the process of limiting the damage caused by a security incident. So B is correct.

see my other comment below.

This one confuses me. for Incident response process, we have the acroynym PICERL. Preperation, investication, containment, eradication, recovery and lessons learned. wouldnt it be D because containment would be the action once you investigate the root cause? Lessons learned is the very last step that just covers what you could of done better and a overview of the whole event

GPT: The "lessons learned" phase is an integral part of the incident response process, conducted after an incident has been dealt with. The aim of this phase is to assess the effectiveness of the incident response, to understand how the incident occurred (the root cause), to identify what was done to remediate the incident, and to determine where improvements can be made to avoid similar incidents in the future.

containment is the step after identification

After the root cause of a security incident has been identified, it's important to perform a lessons learned process to identify areas of improvement, review and adjust policies and procedures, and take any necessary corrective actions to prevent future incidents from occurring. The lessons learned process involves a detailed review of the incident, identification of any weaknesses or gaps in security controls, and developing a plan to address these areas.

>>>>>>>>>B<<<<>>>>Lessons learned.<<< After the root cause of a security incident has been identified, "Lessons learned" procedures would be performed to help avoid future incidents from occurring. Lessons learned is a process of analyzing an incident to identify what went wrong, what went well, and what can be improved. By conducting a lessons learned review, an organization can identify the root cause of the incident, evaluate the effectiveness of their incident response plan, and identify areas for improvement. This information can then be used to update policies, procedures, and training programs to help prevent similar incidents from occurring in the future.

-B is correct. Lessons learned. After identifying the root cause of a security incident, performing a lessons learned exercise is essential to avoid future incidents from occurring. The purpose of a lessons learned exercise is to analyze what happened during the incident, identify what worked well and what did not, and make recommendations for improvements in policies, procedures, and controls to prevent similar incidents from occurring in the future.