A technician is responding to a security incident where an employee's credentials were used to access a server without authorization. The employee claims they did not perform the action. Which of the following should the technician do first to remediate the compromised account?
Trap 1: Reset the account password and enable MFA.
While these are important, the first step must be to disable the account to stop ongoing unauthorized access immediately.
Trap 2: Review the server logs to determine the extent of the breach.
Log review is important for investigation, but containment (disabling the account) should come first to prevent further damage.
Trap 3: Notify the employee's manager and HR department.
Notification is part of the incident response process, but the immediate technical step is to disable the compromised account.
- A
Reset the account password and enable MFA.
Why wrong: While these are important, the first step must be to disable the account to stop ongoing unauthorized access immediately.
- B
Disable the account to prevent further access.
Disabling the account is the first containment step; it stops the attacker from using the credentials while the investigation and remediation proceed.
- C
Review the server logs to determine the extent of the breach.
Why wrong: Log review is important for investigation, but containment (disabling the account) should come first to prevent further damage.
- D
Notify the employee's manager and HR department.
Why wrong: Notification is part of the incident response process, but the immediate technical step is to disable the compromised account.