A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers.
The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again.
Which of the following should the IT administrator do FIRST after recovery?
A.
Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis. B.
Restrict administrative privileges and patch all systems and applications. C.
Rebuild all workstations and install new antivirus software. D.
Implement application whitelisting and perform user application hardening.
A.
A small business just recovered from a ransomware attack against its file servers by purchasing the decryption keys from the attackers.
The issue was triggered by a phishing email and the IT administrator wants to ensure it does not happen again.
Which of the following should the IT administrator do FIRST after recovery?
A.
Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis.
B.
Restrict administrative privileges and patch all systems and applications.
C.
Rebuild all workstations and install new antivirus software.
D.
Implement application whitelisting and perform user application hardening.
A.
After a ransomware attack, it is important to take necessary measures to prevent such an attack from happening again. In this scenario, the IT administrator needs to take appropriate steps to secure the company's IT infrastructure.
Option A: Scan the NAS for residual or dormant malware and take new daily backups that are tested on a frequent basis. This is a good first step. Scanning the NAS for any residual or dormant malware will help identify any potential threats that could be missed during recovery. Taking new daily backups will also help ensure that if another attack occurs, the business can quickly recover its data. Regular testing of these backups is also essential to ensure they are reliable and complete.
Option B: Restrict administrative privileges and patch all systems and applications. This is also a good step. Restricting administrative privileges will help prevent users from accidentally installing malicious software or making unauthorized changes. Patching all systems and applications will ensure that any known vulnerabilities are addressed, reducing the risk of future attacks.
Option C: Rebuild all workstations and install new antivirus software. While rebuilding all workstations may seem like a good idea, it is not always necessary. Installing new antivirus software can help prevent future attacks, but it is not a complete solution on its own. Additionally, rebuilding all workstations can be time-consuming and expensive.
Option D: Implement application whitelisting and perform user application hardening. This is also a good step. Implementing application whitelisting will help prevent unauthorized applications from running on the system, reducing the risk of malware infections. Performing user application hardening, such as disabling unnecessary features, can also help prevent attacks.
In conclusion, option A is the best choice as the IT administrator should first scan for any residual or dormant malware and take new daily backups that are tested on a frequent basis. However, implementing additional measures such as restricting administrative privileges, patching all systems and applications, and implementing application whitelisting are also important steps to prevent future attacks.