CompTIA CASP+ (CAS-003) — Question 53

At a meeting, the systems administrator states the security controls a company wishes to implement seem excessive, since all of the information on the company's web servers can be obtained publicly and is not proprietary in any way. The next day the company's website is defaced as part of an SQL injection attack, and the company receives press inquiries about the message the attackers displayed on the website.
Which of the following is the FIRST action the company should take?

Answer options

• A. Refer to and follow procedures from the company's incident response plan.
• B. Call a press conference to explain that the company has been hacked.
• C. Establish chain of custody for all systems to which the systems administrator has access.
• D. Conduct a detailed forensic analysis of the compromised system.
• E. Inform the communications and marketing department of the attack details.

Correct answer: A

Explanation

The first action should be to refer to and follow procedures from the company's incident response plan, as this will guide the organization on how to respond effectively to the incident. Calling a press conference, establishing a chain of custody, conducting a forensic analysis, or informing the marketing department may be necessary later, but they should come after implementing the immediate response procedures outlined in the incident response plan.