CompTIA CySA+ (CS0-003) — Question 93

Two employees in the finance department installed a freeware application that contained embedded malware. The network is robustly segmented based on areas of responsibility. These computers had critical sensitive information stored locally that needs to be recovered. The department manager advised all department employees to turn off their computers until the security team could be contacted about the issue. Which of the following is the first step the incident response staff members should take when they arrive?

Answer options

• A. Turn on all systems, scan for infection, and back up data to a USB storage device.
• B. Identify and remove the software installed on the impacted systems in the department.
• C. Explain that malware cannot truly be removed and then reimage the devices.
• D. Log on to the impacted systems with an administrator account that has privileges to perform backups.
• E. Segment the entire department from the network and review each computer offline.

Correct answer: E

Explanation

The correct answer is E because isolating the department from the network prevents further spread of the malware and ensures that the incident can be addressed without external interference. The other options could potentially exacerbate the situation by allowing the malware to spread or by compromising the integrity of the evidence needed for investigation.