CompTIA CASP+ Practice Test

What is the recommended immediate response when a system appears to be under a dictionary attack?

• A. Notify the users immediately
• B. Reboot the server to restore performance
• C. Isolate the system and begin forensic analysis
• D. Change the root password

The correct answer is: Isolate the system and begin forensic analysis

When a system is suspected of being under a dictionary attack, isolating the system and beginning forensic analysis is the most appropriate immediate response. A dictionary attack involves an attacker attempting to gain access by systematically entering every word in a predefined list (or dictionary) of terms, often passwords. Isolating the system helps prevent further unauthorized access and protects the integrity of any data that may be compromised. Initiating forensic analysis at this stage is crucial as it allows security professionals to gather evidence of the attack's nature, the extent of any potential breaches, and the methods used by the attacker. This evidence is vital not only for remediation efforts but also for understanding vulnerabilities in the system, which can then be addressed to prevent future incidents. Furthermore, this response allows for a careful examination of logs and other system activities that can highlight suspicious behavior. By taking the system offline, it also affords the team the breathing room to analyze the situation without ongoing interference from the attack itself. Other responses, such as notifying users or changing passwords, while important parts of incident response, do not directly address the immediate need to assess and contain the attack. Rebooting the server may affect the ability to perform a thorough forensic examination and could potentially lead to a loss of valuable evidence.