CompTIA CySA+ (CS0-003) — Question 161

A systems administrator notices unfamiliar directory names on a production server. The administrator reviews the directory listings and files, and then concludes the server has been compromised. Which of the following steps should the administrator take next?

Answer options

• A. Inform the internal incident response team.
• B. Follow the company's incident response plan.
• C. Review the lessons learned for the best approach.
• D. Determine when the access started.

Correct answer: B

Explanation

The correct answer is B, as following the company's incident response plan ensures a structured and effective approach to managing the incident. Answer A, while important, is a part of the broader plan. Answer C is not immediate and focuses on past experiences rather than current action. Answer D, while useful for understanding the breach, does not address the urgent need for a coordinated response.