Certified Ethical Hacker (CEH) — Question 90

A company has hired a security administrator to maintain and administer Linux and Windows-based systems. Written in the nightly report file is the following:
Firewall log files are at the expected value of 4 MB. The current time is 12am. Exactly two hours later the size has decreased considerably. Another hour goes by and the log files have shrunk in size again.
Which of the following actions should the security administrator take?

Answer options

• A. Log the event as suspicious activity and report this behavior to the incident response team immediately.
• B. Log the event as suspicious activity, call a manager, and report this as soon as possible.
• C. Run an anti-virus scan because it is likely the system is infected by malware.
• D. Log the event as suspicious activity, continue to investigate, and act according to the site's security policy.

Correct answer: D

Explanation

The correct answer is D because it encourages thorough investigation and adherence to security policies, which is crucial in handling potential security incidents. Options A and B suggest immediate reporting without further investigation, which may overlook deeper issues. Option C focuses on malware without considering other possible causes for the log file size decrease.