A security administrator is reviewing the system logs of a recently compromised server. They notice several log entries with failed login attempts followed by a single successful login attempt from an unfamiliar remote IP address. After the successful login, there are commands executed that elevate the privileges of the newly logged-in user. Which of the following actions should the security administrator prioritize to mitigate the immediate threat?
Conduct an immediate forensic analysis on the server.
Review and update firewall settings to restrict remote access.
The security administrator should immediately disable the compromised account to prevent the attacker from maintaining access and causing further damage. While changing the passwords of other accounts and reviewing the firewall settings are important measures, they do not directly address the immediate threat of the continued unauthorized access. Performing a forensic analysis is a subsequent step after containing the threat.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
Why is disabling the compromised user account the first step in mitigating the threat?
Open an interactive chat with Bash
What is meant by privilege escalation, and why is it concerning in a security breach?
Open an interactive chat with Bash
What should be the next steps after disabling the compromised account?