Disable ads (and more) with a membership for a one time $4.99 payment
Which of the following actions should an incident responder NOT perform during the recovery stage of incident response?
Replace cleaned copies with infected files
Verify the integrity of restored data
Confirm that necessary security patches are applied
Re-enable disabled accounts cautiously
The correct answer is: Replace cleaned copies with infected files
During the recovery stage of incident response, it is critical to ensure that compromised systems are thoroughly cleaned and secured before bringing them back online. Replacing cleaned copies with infected files directly undermines the recovery process and can reintroduce vulnerabilities or malware to the network. The primary focus during recovery should be on restoring systems to a secure, operational state while ensuring that no remnants of the attack remain. Verifying the integrity of restored data, confirming that necessary security patches are applied, and cautiously re-enabling disabled accounts are all vital actions to maintain security and prevent future incidents. Each of these actions helps ensure that systems are secure, updated, and not at risk of reinfection, creating a safer operating environment moving forward.