Which of the following activities should a systems administr - CompTIA Security+ SY0-701
Question
Which of the following activities should a systems administrator perform to quarantine a potentially infected system?
Answers
-
correct
-
-
-
Explanation
Correct Answer: A. Move the device into an air-gapped environment. Quarantining a potentially infected system means isolating it from the rest of the network to prevent malware from spreading or attackers from maintaining communication. Moving the device into an air-gapped environment achieves this by physically or logically disconnecting it from the production network and the internet. This allows forensic investigation, containment, and remediation to proceed without risking further compromise of other systems. The air gap ensures no data exfiltration or lateral movement can occur while still preserving the system’s state for analysis. This step is especially critical in environments where malware may attempt to propagate rapidly, such as ransomware. Air-gapping is a standard incident response practice because it balances the need for immediate containment with the requirement to preserve evidence for investigation, unlike wiping, which destroys it. It is the most effective first step when quarantining a system.
Why Other Options are Incorrect:
-
B. Disable remote logins through Group Policy reduces certain attack vectors but does not fully quarantine the system, leaving other communication channels open.
-
C. Convert the device into a sandbox is impractical in real time. Sandboxes are controlled environments for testing suspicious files, not for isolating compromised systems.
-
D. Remote wipe the device using the MDM platform erases evidence and may be too extreme for initial quarantine. It prevents forensic investigation and is typically a last resort.
No Payment Cards Needed
