CompTIA Security+ (SY0-601) — Question 279

A systems engineer thinks a business system has been compromised and is being used to exfiltrate data to a competitor. The engineer contacts the CSIRT. The CSIRT tells the engineer to immediately disconnect the network cable and to not do anything else. Which of the following is the most likely reason for this request?

Answer options

• A. The CSIRT thinks an insider threat is attacking the network.
• B. Outages of business-critical systems cost too much money.
• C. The CSIRT does not consider the systems engineer to be trustworthy.
• D. Memory contents, including fileless malware, are lost when the power is turned off.

Correct answer: D

Explanation

The correct answer is D because disconnecting the network cable prevents any further data exfiltration and helps preserve volatile memory, where fileless malware might reside, which would otherwise be lost if the system is powered down. Options A and C do not directly relate to the immediate technical response needed, while B, while true regarding costs, does not address the urgency of preserving evidence of compromise.