CompTIA Security+ (SY0-501) — Question 91

An incident response analyst at a large corporation is reviewing proxy log data. The analyst believes a malware infection may have occurred. Upon further review, the analyst determines the computer responsible for the suspicious network traffic is used by the Chief Executive Officer (CEO).
Which of the following is the best NEXT step for the analyst to take?

Answer options

• A. Call the CEO directly to ensure awareness of the event
• B. Run a malware scan on the CEO's workstation
• C. Reimage the CEO's workstation
• D. Disconnect the CEO's workstation from the network

Correct answer: D

Explanation

The best next step is to disconnect the CEO's workstation from the network to prevent any potential spread of malware or further unauthorized access. While informing the CEO or running a malware scan are important, immediate disconnection mitigates risks. Reimaging the workstation is a more drastic measure that should come after ensuring the system is isolated and assessed.