ExamTopics Logo
Mail Us[email protected]
Menu
Comptia Discussions
exam questions

Exam CS0-003 All Questions

View all questions & answers for the CS0-003 exam
Go to Exam

Exam CS0-003 topic 1 question 170 discussion

Actual exam question from CompTIA's CS0-003
Question #: 170
Topic #: 1
[All CS0-003 Questions]

Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?

  • A. Turn on all systems, scan for infection, and back up data to a USB storage device.
  • B. Identify and remove the software installed on the impacted systems in the department.
  • C. Explain that malware cannot truly be removed and then reimage the devices.
  • D. Log on to the impacted systems with an administrator account that has privileges to perform backups.
  • E. Segment the entire department from the network and review each computer offline.
Show Suggested Answer Hide Answer
Suggested Answer: E 🗳️
by voiddraco at March 1, 2024, 2:46 p.m.

Comments

Chosen Answer:
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.
Switch to a voting comment New
Submit Cancel
voiddraco
Highly Voted 1 year, 2 months ago
Im choosing E because segmenting the department from the network would prevent the potential spread of malware to other parts of the network.
upvoted 12 times
...
gomet2000
Highly Voted 8 months, 3 weeks ago
Selected Answer: E
The first step for the incident response team should be E. Segment the entire department from the network and review each computer offline. This approach minimizes the risk of further infection and allows the team to assess the situation in a controlled and secure environment.
upvoted 5 times
...
Learner213
Most Recent 5 months, 1 week ago
Selected Answer: B
The network is already highly segmented. Any more segmenting will have to include an island for each machine. I would login with admin credentials and attempt to remove the malware first.
upvoted 2 times
ouflomana
1 week, 6 days ago
That's true. However jumping straight to removal (answer B) skips proper containment and evidence gathering. In answer E the computers will be reviewed first.
upvoted 1 times
...
...
JacksonTrite
5 months, 3 weeks ago
Why is it not A instead of E? The question indicates that there is already robust network segmentation, and having all devices off at the same time will hamper the organization.
upvoted 1 times
...
projectgtr
10 months ago
Selected Answer: E
Containment is priority at this point, E addresses this.
upvoted 5 times
...
Studybun
10 months, 1 week ago
Selected Answer: B
its b.
upvoted 2 times
...
RiccardoBellitto
11 months, 4 weeks ago
Selected Answer: E
Using Copilot: The first step the incident response staff members should take when they arrive in this situation is to segment the entire department from the network and review each computer offline. Let me explain why: Segmentation and Isolation: The compromised systems should be isolated from the network to prevent further spread of the malware. By segmenting the department, you prevent the malware from affecting other parts of the network. Review Offline: Once isolated, the incident response team can review each computer offline. This allows them to analyze the malware, assess the extent of the compromise, and determine the best course of action for recovery.
upvoted 2 times
...
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.

Upvoting a comment with a selected answer will also increase the vote count towards that answer by one. So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.

SaveCancel
exam
Someone Bought Contributor Access for:
SY0-701
London, 1 minute ago