A web server is attacked and compromised. Which of the following should be performed FIRST to
handle the incident?
Dump the volatile storage data to a disk.
Run the server in a fail-safe mode.
Disconnect the web server from the network.
Shut down the web server.
The first action is to disconnect the web server from the network to contain the damage and prevent
more actions by the attacker. Dumping the volatile storage data to a disk may be used at the
investigation stage but does not contain an attack in progress. To run the server in a fail-safe mode,
the server needs to be shut down. Shutting down the server could potentially erase information that
might be needed for a forensic investigation or to develop a strategy to prevent future similar attacks.