Certified Incident Handler (CIH) Practice Ecam

Which of the following practices will not help incident responders recover the resources from a web application security incident?

• A. Retain the malware with the affected applications and its resources
• B. Rebuild the entire system if the backup is available for the damaged systems
• C. Conduct a thorough post-incident review
• D. Restore from the latest clean backup

The correct answer is: Retain the malware with the affected applications and its resources

Retaining the malware with the affected applications and their resources is not a practice that will aid incident responders in recovering from a web application security incident. Holding onto malware is inherently unsafe as it can lead to further compromise or contagion within the system. It prevents the successful identification and mitigation of vulnerabilities because the presence of malware complicates the recovery process and obscures the ability to assess the full extent of the damage. Conversely, rebuilding the entire system from a backup, conducting a thorough post-incident review, and restoring from a clean backup are effective strategies for recovery. Rebuilding promotes a fresh start, minimizing risks associated with existing vulnerabilities. Conducting a post-incident review allows responders to gather valuable insights, improve future response efforts, and bolster security measures to prevent similar incidents. Restoring from a clean backup ensures that the system returns to a known good state, free from malicious influences and compromised resources. These practices contribute positively to the overall recovery after a web application security incident.