CompTIA Security Plus Mock Test Q303

The helpdesk reports increased calls from clients reporting spikes in malware infections on their systems. Which of the following phases of incident response is MOST appropriate as a FIRST response?

A. Recovery
B. Follow-up
C. Validation
D. Identification
E. Eradication
F. Containment

Correct Answer: D
Section: Compliance and Operational Security

Explanation:
To be able to respond to the incident of malware infection you need to know what type of malware was used since there are many types of malware around. This makes identification critical in this case.

Incorrect Answers:
A: Recovering from the malware incident can only happen after you identified the type of malware involved.
B: Follow-up is exactly that – following the incident and not a first response.
C: Validation is not an appropriate first response when dealing with a malware infection. Validation only comes into effect as a prevention measure to LDAP Injection attacks.
E: Eradication of malware infections can only be done successfully after the malware involved has been identified. Thus the best first response would be identification and not
eradication.
F: Containment if akin to quarantine and is usually a last resort when one cannot eradicate the malware from the systems.

References:
Dulaney, Emmett and Chuck Eastton, CompTIA Security+ Study Guide, 6th Edition, Sybex, Indianapolis, 2014, pp. 301-309, 338, 429
http://www.certiguide.com/secplus/cg_sp_SixStepIncidentResponseProcess.htm