An unauthorized user gained access to a merchant’s database server and customer credit card
information. Which of the following would be the FIRST step to preserve and protect unauthorized
intrusion activities?

A.
Shut down and power off the server.

B.
Duplicate the hard disk of the server immediately.

C.
Isolate the server from the network.

D.
Copy the database log file to a protected server.

Explanation:

Isolating the server will prevent further intrusions and protect evidence of intrusion activities left in
memory and on the hard drive. Some intrusion activities left in virtual memory may be lost if the
system is shut down. Duplicating the hard disk will only preserve the evidence on the hard disk,
not the evidence in virtual memory, and will not prevent further unauthorized access attempts.
Copying the database log file to a protected server will not provide sufficient evidence should the
organization choose to pursue legal recourse.