CompTIA Security Plus Mock Test Q301

During which of the following phases of the Incident Response process should a security administrator define and implement general defense against malware?

A. Lessons Learned
B. Preparation
C. Eradication
D. Identification

Correct Answer: B
Section: Compliance and Operational Security

Incident response procedures involves: Preparation; Incident identification; Escalation and notification; Mitigation steps; Lessons learned; Reporting; Recover/reconstitution procedures; First responder; Incident isolation (Quarantine; Device removal); Data breach; Damage and loss control. It is important to stop malware before it ever gets hold of a system –thus you should know which malware is out there and take defensive measures – this means preparation to guard against malware infection should be done.

Incorrect Answers:
A: Lessons learned is one of the latter phases in incident response after the event occurred – this means that general defense has not been observed.
C: Eradication is done after the infection already occurred and can thus not be considered general defense.
D: Incident Identification presumes that the incident already occurred – thus it cannot be considered general defense against malware.

Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 121-122, 429