Computer Hacking Forensic Investigator (CHFI v10) — Question 223

The information security manager at a national legal firm has received several alerts from the intrusion detection system that a known attack signature was detected against the organization's file server. What should the information security manager do first?

Answer options

• A. Disconnect the file server from the network
• B. Update the anti-virus definitions on the file server
• C. Report the incident to senior management
• D. Manually investigate to verify that an incident has occurred

Correct answer: D

Explanation

The correct answer is D because the first step in incident response is to verify whether an incident has indeed occurred before taking further actions. Disconnecting the server or updating anti-virus definitions may be necessary later, but they are premature without confirmation of an incident. Reporting to senior management (option C) is important, but it should follow the verification process.