A security administrator is conducting network forensic analysis of a recent defacement of the
company’s secure web payment server (HTTPS). The server was compromised around the New
Year’s holiday when all the company employees were off. The company’s network diagram is
summarized below:
Internet
Gateway Firewall
IDS
Web SSL Accelerator
Web Server Farm
Internal Firewall
Company Internal Network

The security administrator discovers that all the local web server logs have been deleted.
Additionally, the Internal Firewall logs are intact but show no activity from the internal network to
the web server farm during the holiday.
Which of the following is true?

A.
The security administrator should review the IDS logs to determine the source of the attack and
the attack vector used to compromise the web server.

B.
The security administrator must correlate the external firewall logs with the intrusion detection
system logs to determine what specific attack led to the web server compromise.

C.
The security administrator must reconfigure the network and place the IDS between the SSL
accelerator and the server farm to be able to determine the cause of future attacks.

D.
The security administrator must correlate logs from all the devices in the network diagram to
determine what specific attack led to the web server compromise.