What to Do When a Workstation is Potentially Infected with a Virus

A.

The FIRST step a security analyst should take when dealing with an incident involving a potentially infected workstation that may have sent confidential data to an unknown internet server is to isolate the workstation from the network. The best answer is therefore option B: Turn off the workstation.

Turning off the workstation will prevent any further communication with the internet server and minimize the spread of any infection. It will also protect any remaining data that may not have yet been sent to the internet server. This will give the security analyst the opportunity to investigate the issue and determine the extent of the infection and data loss.

After the workstation has been turned off, the next step would be to consult the information security policy to determine the appropriate course of action for dealing with the situation. The policy will outline the procedures and guidelines for incident response, which may include conducting a virus scan, analyzing the memory dump, or contacting law enforcement if necessary.

Making a copy of everything in memory on the workstation (option A) and running a virus scan (option D) can be important steps in the investigation, but should only be done after the workstation has been isolated from the network. Otherwise, the virus could continue to spread and potentially cause further damage to the system and network.

In summary, the FIRST step a security analyst should take when dealing with an incident involving a potentially infected workstation that may have sent confidential data to an unknown internet server is to isolate the workstation from the network by turning it off. After that, the analyst can consult the information security policy and then proceed with further investigation and remediation steps as necessary.