An organization has an incident response plan that requires
                        reporting incidents after verifying them. For security purposes,

                        the organization has not published the plan. Only members of
                        the incident response team know about the plan and its
                        contents. Recently, a server administrator noticed that a web
                        server he manages was running slower than normal. After a
                        quick investigation, he realized an attack was coming from a
                        specific IP address. He immediately rebooted the web server to
                        reset the connection and stop the attack. He then used a utility

                        he found on the internet to launch a protracted attack against
                        this IP address for several hours. Because attacks from this IP
                        address stopped, he didn’t report the incident.

              18.  What should have been done before rebooting the web server?

                    A.  Review the incident

                    B.  Perform remediation steps

                    C.  Take recovery steps

                    D.  Gather evidence


               19.  Which of the following indicates the most serious mistake the
                    server administrator made in this incident?

                    A.  Rebooting the server

                    B.  Not reporting the incident

                    C.  Attacking the IP address

                    D.  Resetting the connection

              20.  What was missed completely in this incident?

                    A.  Lessons learned

                    B.  Detection

                    C.  Response


                    D.  Recovery