Certified Incident Handler (CIH) Practice Ecam

Disable ads (and more) with a membership for a one time $2.99 payment

Prepare for the Certified Incident Handler (CIH) Exam. Enhance your knowledge with interactive quizzes and detailed insights into cyber incident handling. Boost your exam readiness with our expert-designed questions!

Each practice test/flash card set has 50 randomly selected questions from a bank of over 500. You'll get a new set of questions each time!

Practice this question and more.

Which of the following practices should not be performed by the system administrator during first response?

Isolate affected systems from the network
If an ongoing attack is detected, directly power down the computing systems
Document user activity on the system
Maintain a record of system configurations

The correct answer is: If an ongoing attack is detected, directly power down the computing systems

The practice of directly powering down the computing systems during an ongoing attack is not advisable for a system administrator during the first response phase. When an attack is detected, the primary goal is to preserve evidence and understand the attack dynamics, which can be crucial for incident response and future prevention strategies. Powering down a system could potentially lead to the loss of volatile data that might be critical for investigating the breach, such as running processes, active connections, and other state information. In contrast, isolating affected systems from the network is a standard practice to prevent the attack from spreading. Documenting user activity helps in understanding the timeline and actions taken during the incident, while maintaining a record of system configurations assists in evaluating the system's state before the incident and aids in recovery efforts. All of these practices support a systematic approach to incident handling, focusing on preserving evidence and system integrity while mitigating damage.