Incident Response

Correct Answer: Implement and enforce strong password policies

The best course of action to prevent similar attacks in the future is to 'Implement and enforce strong password policies'. This involves the use of complex and unique passwords, possibly comprising a combination of alphanumeric characters and symbols. Regularly changing passwords every week may not necessarily enhance security and could lead to employees forgetting their passwords and creating potential security vulnerabilities. Banning the affected employees from using the network isn't a solution, as the underlying problem of weak password practice would still exist. Limiting the number of devices that can access the network does not directly address the issue of weak or guessable passwords.

Correct Answer: Mitigate the attack and minimize the service downtime

The correct answer is 'Mitigate the attack and minimize the service downtime'. This should be the first priority of a network administrator during a denial-of-service (DoS) attack. The reason for this is that a DoS attack aims to make a machine or network resource unavailable to users, causing disruptions in service. Therefore, mitigating it quickly is crucial to minimizing downtime and maintaining service continuity. The other options, while potentially valuable in certain circumstances, are secondary to the direct management of the incident. 'Identifying the attackers and reporting them to the authorities' might be an important part in the aftermath of an attack, but it is not the immediate priority in the midst of a DoS attack. 'Upgrading the server's hardware to handle the attack' isn’t the proper response during an ongoing attack. Hardware upgrades require time and could even exacerbate downtime rather than decrease it. Finally, 'Disconnecting the server from the network' would indeed stop the attack because the server would no longer be accessible. However, this action would also disrupt the service, defeating the purpose of trying to maintain service uptime.

Correct Answer: Disable the compromised account

The best immediate action in this scenario is to disable the compromised account. This step is crucial because:

1. It prevents further unauthorized access to sensitive data.
2. It stops the attacker from causing more damage or spreading to other systems.
3. It allows time for a thorough investigation while containing the breach.

Changing the password is not sufficient as the attacker might have other means of access.

Running a full system scan is important but not the immediate priority; the account needs to be secured first.

Notifying all employees via email is premature and could potentially alert the attacker, leading to hasty actions that might complicate the investigation.

After disabling the account, the incident response team should:
1. Investigate the extent of the breach
2. Identify how the account was compromised
3. Review access logs and user activity
4. Implement additional security measures
5. Prepare a detailed report for management and relevant stakeholders

Only after a thorough investigation should broader communication and system-wide actions be considered.