Certified Incident Handler (CIH) Practice Ecam

Disable ads (and more) with a membership for a one time $4.99 payment

Prepare for the Certified Incident Handler (CIH) Exam. Enhance your knowledge with interactive quizzes and detailed insights into cyber incident handling. Boost your exam readiness with our expert-designed questions!

Practice this question and more.


Which of the following actions should an incident responder NOT perform during the recovery stage of incident response?

  1. Replace cleaned copies with infected files

  2. Verify the integrity of restored data

  3. Confirm that necessary security patches are applied

  4. Re-enable disabled accounts cautiously

The correct answer is: Replace cleaned copies with infected files

During the recovery stage of incident response, it is critical to ensure that compromised systems are thoroughly cleaned and secured before bringing them back online. Replacing cleaned copies with infected files directly undermines the recovery process and can reintroduce vulnerabilities or malware to the network. The primary focus during recovery should be on restoring systems to a secure, operational state while ensuring that no remnants of the attack remain. Verifying the integrity of restored data, confirming that necessary security patches are applied, and cautiously re-enabling disabled accounts are all vital actions to maintain security and prevent future incidents. Each of these actions helps ensure that systems are secure, updated, and not at risk of reinfection, creating a safer operating environment moving forward.