A XYZ security System Administrator is reviewing the network system log files.
He notes the following:
Network log files are at 5 MB at 12:00 noon.
At 14:00 hours,the log files at 3 MB.
What should he assume has happened and what should he do about the situation?

A.
He should contact the attacker’s ISP as soon as possible and have the connection
disconnected.

B.
He should log the event as suspicious activity,continue to investigate,and take further steps
according to site security policy.

C.
He should log the file size,and archive the information,because the router crashed.

D.
He should run a file system check,because the Syslog server has a self correcting file system
problem.

E.
He should disconnect from the Internet discontinue any further unauthorized use,because an
attack has taken place.

Explanation:
You should never assume a host has been compromised without verification.
Typically,disconnecting a server is an extreme measure and should only be done when it is
confirmed there is a compromise or the server contains such sensitive data that the loss of service
outweighs the risk. Never assume that any administrator or automatic process is making changes
to a system. Always investigate the root cause of the change on the system and follow your
organizations security policy.