An information security manager has been notified about a compromised endpoint device. Which of the following is the BEST course of action to prevent further damage?
The BEST course of action to prevent further damage in this scenario is "D. Isolate the endpoint device."
When a compromised endpoint device is detected, it is essential to isolate the device as soon as possible to prevent further damage and to minimize the risk of data loss or theft. This can involve disconnecting the device from the network, disabling any active connections, and removing the device from the production environment.
Question is best prevent
A. Device active, damage can go on
C. Immediate. When you power on again, damage continues
D. remaining code is still active, when you connect back, damage goes on
B > C > D, IMO
You want to isolate, that way you can still conduct some type of investigation and get some IOC's and see if there are more in your environment. Eventually you'll want to wipe it but not the first step, if you have the capabilities.
Wrong. You want to isolate, that way you can still conduct some type of investigation and get some IOC's and see if there are more in your environment. Eventually you'll want to wipe it but not the first step, if you have the capabilities.
upvoted 1 times
...
...
This section is not available anymore. Please use the main Exam Page.CISM Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Broesweelies
Highly Voted 1 year, 11 months agoyottabyte
Most Recent 10 months, 1 week agoxcjxcj
10 months, 2 weeks agoxcjxcj
10 months, 2 weeks agorichck102
1 year, 6 months agoCarlLimps
1 year, 10 months agoaokisan
2 years, 1 month agoCarlLimps
1 year, 10 months ago