CISM Certified Information Security Manager – Question1405

An unauthorized user gained access to a merchant's database server and customer credit card information. Which of the following would be the FIRST step to preserve and protect unauthorized intrusion activities?

A.
Shut down and power off the server.
B. Duplicate the hard disk of the server immediately.
C. Isolate the server from the network.
D. Copy the database log file to a protected server.

Correct Answer: C

Explanation:

Explanation:
Isolating the server will prevent further intrusions and protect evidence of intrusion activities left in memory and on the hard drive. Some intrusion activities left in virtual memory may be lost if the system is shut down. Duplicating the hard disk will only preserve the evidence on the hard disk, not the evidence in virtual memory, and will not prevent further unauthorized access attempts. Copying the database log file to a protected server will not provide sufficient evidence should the organization choose to pursue legal recourse.