Exam SY0-601 topic 1 question 91 discussion

Perform containment on the critical servers and resources -> Isolation or containment is the first thing to do after an incident has been discovered

If we follow Incident Response Process: 1) Preparation - hardening 2) Identification - detection 3) Containment :) 4) Eradication 5) Recovery 6) Lesson Learned So it has to be CONTAINMENT :)

Passed 758>750, 5-10 Q I knew, rest of like Chinese

here is a quote from CompTIA study guide. The most recent : ,, Platform as a Service Platform as a service (PaaS) provides resources somewhere between SaaS and IaaS. A typical PaaS solution would provide servers and storage network infrastructure (as per IaaS) but also provide a multi-tier web application/database platform on top. This platform could be based on Oracle or MS SQL or PHP and MySQL. Examples include Oracle Database (oracle.com/database), Microsoft Azure SQL Database (azure. microsoft.com/services/sql-database), and Google App Engine (cloud.google.com/ appengine). As distinct from SaaS though, this platform would not be configured to actually do anything. Your own developers would have to create the software (the CRM or e‑commerce application) that runs using the platform. The service provider would be responsible for the integrity and availability of the platform components, but you would be responsible for the security of the application you created on the platform. " SO reading this i think this debate is closed. The answer is SaaS although in practice things are a little more different.

I agree on containment because the pen tester already must have conducted a vulnerability assessment and in the course of pen testing would have the details- (identification) of what system the exfiltrated data is from hence the next step is to contain.

When the penetration tester discovers data exfiltration, the immediate concern should be to prevent further damage and limit the attacker's access. By performing containment on critical servers and resources, the client can isolate the affected systems from the rest of the network, preventing further data exfiltration and minimizing the impact of the breach.

Performing containment involves isolating or segregating the affected servers and resources to prevent further unauthorized access or data exfiltration. This can be done by disconnecting the compromised systems from the network, disabling their access to sensitive data or critical resources, or implementing network segmentation to isolate the affected parts of the infrastructure. Containment is a crucial step to prevent the ongoing exfiltration and minimize the potential impact of the breach. By limiting the attacker's ability to access or extract sensitive information, the organization can mitigate the risk of further data loss or damage.

https://www.sciencedirect.com/topics/computer-science/containment-strategy

B. Perform containment on the critical servers and resources should be the client's NEXT step to mitigate the issue.

If we follow Incident Response Process: 1) Preparation - hardening 2) Identification - detection 3) Containment :) 4) Eradication 5) Recovery 6) Lesson Learned So it has to be CONTAINMENT :)

Perform containment on the critical servers and resources -> Isolation or containment is the first thing to do after an incident has been discovered.

following the Incident Response process: Preparation, Identification (detection), Containment, Eradication, Recovery, Post-Incident. Pen Tester would be the Preparation phase ( constantly new vulnerabilities) Identification is needed to know which systems are affected and the extend of the containment needed. Containment is next. you use what you have identified to know if you need to segment, isolate, or even shutdown completely.

He stopped so he needs to finish so all vulnerable systems are contained