GIAC Certified Incident Handler (GCIH) — Question 111

You are responding to an incident in which the organization's Extranet server has been compromised. The Extranet is the browser home page for most users in the organization. You have been instructed to watch the attacker, but minimize the business impact and the risk of further compromise. How can you continue providing services to the organization's users while isolating the compromised server?

Answer options

• A. Point the domain name to the IP address of a secondary, patched production server
• B. Change the server IP address to a different IP address
• C. Isolate the switch port and put the system on a quarantined VLAN
• D. Rebuild the system during a downtime window and restore the service

Correct answer: A

Explanation

The correct answer is A because redirecting the domain name to a patched secondary server allows users to access the Extranet without interruption while the compromised server is isolated. Option B does not address user access, option C isolates the server but does not provide a solution for user access, and option D would lead to downtime, which contradicts the goal of minimizing business impact.