Incident Eradication and Recovery

Correct Answer: Apply tailored patches to close exploited vulnerabilities

The correct strategy during the incident eradication phase, especially when dealing with a persistent network worm that attempts reinfection, is to 'Apply tailored patches to close exploited vulnerabilities'. This action directly addresses the weaknesses that the worm is exploiting, preventing it from being able to reinfect systems after they have been cleaned. Eradicating the vulnerability is essential to stopping the worm's ability to spread and cause further damageThe option suggesting 'Formatting all infected systems without performing any forensic analysis' is not advisable as the primary strategy. While formatting might temporarily remove the worm, it does not address the underlying vulnerability that allowed the infection in the first place. Moreover, it destroys valuable forensic evidence that could help understand the worm's behavior, develop more effective defenses, and potentially identify the source of the infectionIncreasing network bandwidth is not an effective strategy for combating a network worm. While it might alleviate some symptoms by accommodating the extra traffic, it does not address the worm itself or prevent reinfections. It's a reactive measure that doesn't contribute to resolving the core issueInforming customers about the worm and recommending that they avoid using services until resolved is part of communication and containment but is not a direct eradication tactic. While it's important to keep stakeholders informed, it doesn't contribute to the actual removal or prevention of the worm's ability to reinfect systems.

Correct Answer: Revert to the last known good configuration after isolating the affected systems.

The most effective step in the eradication and recovery process after detecting unauthorized alterations to system configuration files is to revert to the last known good configuration after isolating the affected systems. This action ensures that systems are returned to a secure, pre-compromise state, eliminating any changes made by the attacker. Additionally, isolating the affected systems helps prevent the spread of any potential compromise to other parts of the network. Restoring from a known good configuration is a standard best practice in incident response because it provides a reliable baseline from which to rebuild. The other answers fall short for the following reasons: Leaving the altered configurations in place means that the unauthorized changes, which could be malicious or harmful, would continue to affect the integrity of the systems. Monitoring systems without addressing the root cause is not a sufficient response to a security incident. Updating all system passwords while continuing normal operations without a rollback does not rectify the unauthorized changes to the system configurations and hence does not eradicate the threat. Manually correcting the configurations based on memory is not feasible as it is prone to human error, lacks the reliability of a systematic approach, and does not guarantee the removal of all unauthorized modifications.

Correct Answer: Sanitize all input fields and implement parameterized queries

The most effective approach to ensure complete threat removal during the eradication phase of a sophisticated SQL injection attack is to sanitize all input fields and implement parameterized queries. This option addresses the root cause of SQL injection vulnerabilities by ensuring that user input is properly validated and sanitized before being used in database queries. Parameterized queries separate the SQL code from the data, making it impossible for malicious input to alter the structure of the query. The other options, while important for overall security, do not directly address the specific threat of SQL injection: Updating passwords and enforcing password policies is a good practice but doesn't prevent SQL injection attacks. Patching the web application server and restricting database user privileges are important security measures but don't specifically target SQL injection vulnerabilities. Implementing web application firewalls and conducting penetration testing are valuable security practices, but they are more focused on detection and prevention rather than eradication of an existing SQL injection vulnerability. By sanitizing input and using parameterized queries, organizations can effectively eradicate the SQL injection vulnerability and prevent future occurrences of this type of attack.